×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AnyConnect VPN Client: Posture Assessment Failed: Hostscan Prelogin Error.

Unanswered Question
Dec 16th, 2011
User Badges:

Hello all,


does anybody know why this error could happen?

anycon.jpg

We use standard xp sp3 ie8 clients, with same hardware, software deployment.

But 1 of 7 Clients gets this incorrectible error.

I compared a working client with a not working in filesystem and registry but no differences.

Can anybody help?

Regards, Felix

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
felix.richter Fri, 12/16/2011 - 06:34
User Badges:

By the way: We are using Version 2.5.0217 and upgrading to the newest version did never resolve the problem. It only changed the error message:

"Anyconnect was not able to establish a connection to the specified secure gateway. Please try connecting again."

The only thing, which helped to workaround this error was a complete reinstallation of the operating system.

Clean uninstalling Anyconnect didnt change anything.

felix.richter Mon, 12/19/2011 - 02:49
User Badges:

Here a abstract from the DART-generated Logfile from one of the defective clients:


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Information
Source      : acvpnui

Description : Function: ConnectIfc::getDownloader
File: .\ConnectIfc.cpp
Line: 1215
Downloader downloaded


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Information
Source      : acvpnui

Description : Function: ConnectMgr::launchRemoteDownloader
File: .\ConnectMgr.cpp
Line: 6424
Successfully downloaded the downloader.


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Warning
Source      : acvpnui

Description : Function: ConnectMgr::launchRemoteDownloader
File: .\ConnectMgr.cpp
Line: 6476
Launching Remote Downloader:
path: 'C:\DOCUME~1\\LOCALS~1\Temp\48.tmp\vpndownloader.exe'
cmd:  '"-ipc gc"'


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Error
Source      : acvpnui

Description : Function: CVerifyFileSignatureWindows::CheckFileSignature
File: .\VerifyFileSignatureWindows.cpp
Line: 182
Invoked Function: WinVerifyTrustEx
Return Code: -2146762486 (0x800B010A)
Description: Bei der Zertifikatsverkettung ist ein interner Fehler aufgetreten.



******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Error
Source      : acvpnui

Description : Function: CProcessApi::Launch
File: .\IPC\ProcessAPI.cpp
Line: 340
Invoked Function: VerifyFileSignature IsValid
Return Code: -31326175 (0xFE220021)
Description: CERTIFICATE_ERROR_UNKNOWN


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Error
Source      : acvpnui

Description : Function: ConnectMgr::launchRemoteDownloader
File: .\ConnectMgr.cpp
Line: 6492
Invoked Function: CProcessApi::Launch
Return Code: -31326175 (0xFE220021)
Description: CERTIFICATE_ERROR_UNKNOWN
Failed to launch the downloader.


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Information
Source      : acvpnui

Description : Loading preferences for the current user from profile Profile.xml


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Information
Source      : acvpnui

Description : Function: ProfileMgr::getHostInitSettings
File: .\ProfileMgr.cpp
Line: 876
Profile (C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\Profile.xml) not found. Using default settings.


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Information
Source      : acvpnui

Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: User
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: DisconnectOnSuspend
UseStartBeforeLogon: false
AutoUpdate: true
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: true
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true


******************************************

Date        : 08/04/2011
Time        : 10:26:20
Type        : Information
Source      : acvpnui

Description : Message type error sent to the user:
AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.


******************************************

Date        : 08/04/2011
Time        : 10:26:25
Type        : Information
Source      : acvpnui

Description : Message type information sent to the user:
Connection attempt has failed.


******************************************

Date        : 08/04/2011
Time        : 10:26:25
Type        : Error
Source      : acvpnui

Description : Function: ConnectMgr::processIfcData
File: .\ConnectMgr.cpp
Line: 2633
Invoked Function: ConnectMgr::initiateTunnel
Return Code: -31326175 (0xFE220021)
Description: CERTIFICATE_ERROR_UNKNOWN


******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Error
Source      : acvpnui

Description : Function: CTransportWinInet::SendRequest
File: .\CTransportWinInet.cpp
Line: 1002
Invoked Function: HttpSendRequest
Return Code: 12044 (0x00002F0C)
Description: A certificate is required to complete client authentication



******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Information
Source      : acvpnui

Description : Function: ProfileMgr::getHostInitSettings
File: .\ProfileMgr.cpp
Line: 876
Profile (C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\Profile.xml) not found. Using default settings.


******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Error
Source      : acvpnui

Description : Function: CTransportWinInet::SendRequest
File: .\CTransportWinInet.cpp
Line: 1351
Invoked Function: CTransportWinInet::setResponseHeaders
Return Code: -29949902 (0xFE370032)
Description: CTRANSPORT_ERROR_HTTP_RETURNED_ERROR:The HTTP server returned an error code (>= 400)
HTTP status code received 405


******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Error
Source      : acvpnui

Description : Function: ConnectIfc::sendRequest
File: .\ConnectIfc.cpp
Line: 3008
Invoked Function: CTransport::SendRequest
Return Code: -29949902 (0xFE370032)
Description: CTRANSPORT_ERROR_HTTP_RETURNED_ERROR:The HTTP server returned an error code (>= 400)


******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Error
Source      : acvpnui

Description : Function: ConnectMgr::sendResponse
File: .\ConnectMgr.cpp
Line: 4496
ConnectMgr::processIfcData failed


******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Information
Source      : acvpnui

Description : VPN state: Disconnected
Network state: Network Accessible
Network control state: Network Access: Available
Network type: Undefined


******************************************

Date        : 08/04/2011
Time        : 10:26:26
Type        : Information
Source      : acvpnui

Description : Function: ConnectMgr::setConnectRequestComplete
File: .\ConnectMgr.cpp
Line: 8200
Connect request complete. Proceeding to cleanup.


******************************************

felix.richter Tue, 12/20/2011 - 01:31
User Badges:

Here another abstract from a working client.

What catched my eye: no certificate errors...


Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : Function: IEGetProxySettingsFromConn
File: .\Proxy\BrowserProxyIE.cpp
Line: 1011
Not IE8. Retrying with original IE options


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : MSIE Connections Control Tab has been locked down.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : VPN Connection proxy settings have been applied to the Internet browser.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : The VPN connection has been established and can now pass data.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnui

Description : Message type information sent to the user:
Establishing VPN...


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : The Primary DTLS connection to the secure gateway is being established.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : Function: CDtlsTunnelTransport::initiateTransport
File: .\DtlsTunnelTransport.cpp
Line: 223
Opened DTLS socket from 10.99.1.23:1367 to 153.96.3.140:443


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnui

Description : VPN state: Connected
Network state: Network Accessible
Network control state: Network Access: Restricted
Network type: Undefined


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpndownloader

Description : Cisco AnyConnect Secure Mobility Client Downloader exiting, version 3.0.2052 , return code 0 [0x00000000]


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnui

Description : Message type information sent to the user:
Connected to remote.access.device.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Warning
Source      : acvpnui

Description : Function: ProfileMgr::getProfileNameFromHost
File: .\ProfileMgr.cpp
Line: 796
No profile available for host remote.access.device.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnui

Description : Function: ProfileMgr::getHostInitSettings
File: .\ProfileMgr.cpp
Line: 876
Profile () not found. Using default settings.


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : A DTLS connection has been established using cipher AES128-SHA


******************************************

Date        : 08/05/2011
Time        : 08:08:19
Type        : Information
Source      : acvpnagent

Description : The Primary DTLS connection to the secure gateway has been established.


******************************************

Date        : 08/05/2011
Time        : 08:08:20
Type        : Information
Source      : acvpnui

Description : Function: ConnectMgr::launchCachedDownloader
File: .\ConnectMgr.cpp
Line: 6282
Invoked Function: ConnectMgr :: launchCachedDownloader
Return Code: 0 (0x00000000)
Description: Cached Downloader terminated normally


******************************************

Date        : 08/05/2011
Time        : 08:08:20
Type        : Information
Source      : acvpnui

Description : Function: ProfileMgr::loadProfiles
File: .\ProfileMgr.cpp
Line: 148
Loaded profiles:
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\Profile.xml


******************************************

Date        : 08/05/2011
Time        : 08:08:20
Type        : Information
Source      : acvpnui

Description : Loading preferences for the current user from profile Profile.xml


******************************************

Date        : 08/05/2011
Time        : 08:08:20
Type        : Information
Source      : acvpnui

Description : Current Preference Settings:
ServiceDisable: false
CertificateStoreOverride: false
CertificateStore: User
ShowPreConnectMessage: false
AutoConnectOnStart: false
MinimizeOnConnect: true
LocalLanAccess: false
AutoReconnect: true
AutoReconnectBehavior: ReconnectAfterResume
UseStartBeforeLogon: false
AutoUpdate: false
RSASecurIDIntegration: Automatic
WindowsLogonEnforcement: SingleLocalLogon
WindowsVPNEstablishment: LocalUsersOnly
ProxySettings: Native
AllowLocalProxyConnections: true
PPPExclusion: Disable
PPPExclusionServerIP:
AutomaticVPNPolicy: false
TrustedNetworkPolicy: Disconnect
UntrustedNetworkPolicy: Connect
TrustedDNSDomains:
TrustedDNSServers:
AlwaysOn: false
ConnectFailurePolicy: Closed
AllowCaptivePortalRemediation: false
CaptivePortalRemediationTimeout: 5
ApplyLastVPNLocalResourceRules: false
AllowVPNDisconnect: true
EnableScripting: false
TerminateScriptOnNextEvent: false
EnablePostSBLOnConnectScript: true
AutomaticCertSelection: false
RetainVpnOnLogoff: false
UserEnforcement: SameUserOnly
EnableAutomaticServerSelection: false
AutoServerSelectionImprovement: 20
AutoServerSelectionSuspendTime: 4
AuthenticationTimeout: 12
SafeWordSofTokenIntegration: false
AllowIPsecOverSSL: false
ClearSmartcardPin: true

felix.richter Mon, 01/02/2012 - 22:42
User Badges:

Does nobody have a clue?


the course of action is like the following:


Contacting Gateway

Posture Assessment: Checking for updates... (2 sec)

Posture Assessment: Initiating... (2sec)

Posture Assessment: Updating...(1sec)

Posture Assessment: Initiating... (3sec)

Posture Assessment Failed: Hostscan Prelogin error.

felix.richter Tue, 01/03/2012 - 05:24
User Badges:

I got the solution.


Researching on the problem brought me to this file

"C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Cisco\Cisco HostScan\log\libcsd.log"

There was a section, wich took me aback:


[Mo Dez 19 19:32:49.953 2011][libcsd][debug][hs_file_verify_trust] verifying file trust (C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Cisco\Cisco HostScan\bin\cscan.exe)

[Mo Dez 19 19:32:49.953 2011][libcsd][debug][hs_dl_load] path not absolute, file signature not checked (Wintrust.dll)

[Mo Dez 19 19:32:49.953 2011][libcsd][debug][hs_dl_load] attempting to load library (Wintrust.dll)

[Mo Dez 19 19:32:49.953 2011][libcsd][debug][hs_dl_load] library (Wintrust.dll) loaded

[Mo Dez 19 19:32:49.953 2011][libcsd][warn][hs_file_verify_trust] unable to verify trust for C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Cisco\Cisco HostScan\bin\cscan.exe: 2148204810

[Mo Dez 19 19:32:49.953 2011][libcsd][error][launch_scanner] invalid file signature on scanner.

[Mo Dez 19 19:32:49.953 2011][libcsd][error][csd_prelogin] unable to launch scanner.

[Mo Dez 19 19:32:56.171 2011][libcsd][debug][csd_free] csd_free()


So he has some problems to execute cscan.exe.

In the file properties of cscan.exe you can check "digital signature", which can not be approved in this case

So I took a look at certificates console and: yes, the VeriSign root certificate was missing.

After exporting the certificate from a working client and importing it to the defective clients AnyConnect works like it should.


If somebody knows how some trusted root certificates on certain freshly installed clients can disappear, please give a reply!

Actions

This Discussion