Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8018
Views
10
Helpful
17
Replies

Anyconnect SBL fails to connect.

Go to solution
eagles-nest
Level 1
Level 1

‎07-28-2012 01:26 PM - edited ‎02-21-2020 06:13 PM

Hi

No doubt a well discussed topic but I have tried all sorts to try to get Anyconnect SBL working with no success.

I am running XP Pro SP3.

I  can connect to my Anyconnect VPN with no problems via the FQDN once XP  is up and running.  However, when prompted to connect to the VPN prior  to logging in I get the pretty non-descript error below.

Connection attempt failed.  Please try again.

I  tried removing the Anyconnect client and SBL application.  I  re-installed Anyconnect then re-connected and it automatically  downloaded the SBL part.  I then restarted my laptop.

I  can see there is an attempt to connect to the ASA because I set up a  capture but the attempt fails almost immediately with the error above.

I  am using Anyconnect 3.0.08057 and a certificate on the ASA that is  issued by a CA in my domain.  I have that root certificate installed on  my laptop in the Trusted Certificates Authorities store.  I don't get  any certificate issues during a manual VPN connection so I assume this  isn't a certificate issue.

I'd appreciate any assistance anyone may have.

Thanks,

St.

Labels:
0 Helpful
17 Replies 17

Go to solution
eagles-nest
Level 1
Level 1
In response to eagles-nest

‎08-05-2012 06:00 AM

I think it's becoming clearer why this is failing but not why SBL is doing what it seems to be doing.

During a manual VPN setup all goes ok and the setup takes place on port 442 as configured.

However, when I do the SBL connection, even though I have configured the client profile to go via port 442 it connects via 443.  The ASA responds, a bit of an exchange takes place and the conversation is terminated.  Obviously the ASA is saying I don't have Anyconnect on port 443 so go away.

Here's the Host entry in the client profile in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile_name.xml

A.B.co.uk:442

  A.B.co.uk:442

I I have named the hostname the same as the FQDN so that I know it us using that entry.  But for some reason SBL seems to ignore the :442 and tries to connect to 443 regardless.

II When I log in and, as described above, initiate a manual VPN connection I select the hostname A.B.co.uk:442 from the Anyconnect client drop down list.  In fact that's the only entry there as it should be.  When I try to connect that way it works fine.

   Am I missing some other aspect of this where SBL needs specifically told the ASA FQDN in a different location to the profile in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile_name.xml  ?

     Thanks, St.

I

0 Helpful

Go to solution
eagles-nest
Level 1
Level 1
In response to eagles-nest

‎08-20-2012 07:28 AM

Cisco have said this is a bug but they are unsure whether the Anyconnect client can control the behaviour or it is a PLAP issue needing fixed by Microsoft.

I will update with any further info when I have it.

St.

0 Helpful

Go to solution
eagles-nest
Level 1
Level 1
In response to eagles-nest

‎08-27-2012 02:02 PM

Bug id below.

CSCub75468
0 Helpful
Customers Also Viewed These Support Documents