30-04-2021

Cisco Anyconnect Is Not Connecting



I have a client who receives the message 'AnyConnect is not enabled on the VPN Server' when using the AnyConnect 2.5.6005 client and the message 'Log denied, unauthorized connection mechanism, contact your administrator' when using the AnyConnect 3.1.02040 client on a Windows 7 Home Premium (64-bit) laptop.

When you are off campus, some of Illinois State University’s electronic services are unavailable to you unless you establish a VPN connection.

Oct 23, 2020 AnyConnect clients cannot establish phone calls. There are some scenarios where AnyConnect clients need to establish phone calls and video conferences over VPN. AnyConnect clients can connect to the AnyConnect headend without any problem. They can reach internal and external resources, however phone calls cannot be established. Something strange would happen when I connected to a Firepower 2130 running Firepower Threat Defense with Cisco AnyConnect. Basically, the AnyConnect client would contact the VPN gateway just fine, prompt for user credentials, authenticate and connect but then literally after about 3 seconds of being connected it would immediately drop and attempt to reconnect again. The Network Connections window should open. Right click on the Cisco AnyConnect Secure Mobility Client Connection. Click on Properties 4. Select the Networking tab. Select Internet Protocol Version 4 (TCP/IPv4) from 'This connection uses the following items.' Click on Properties. Click on Advanced. Cisco IOS Software Release 12.4(20)T supports AnyConnect on MAC in standalone mode without any problem. In order to resolve this, try to use the complete URL when you connect to the Cisco IOS head-end device.

Cisco AnyConnect is an application that the University makes available to students, faculty, and staff for free which may be used to establish a VPN connection with the University from off campus.

NOTE: If you need to request and install the application on your computer, please skip to the section further below entitled Download and Install Cisco AnyConnect. If you already have the application installed and would like to know how to connect to it, please read the section immediately below entitled Connect to the Cisco AnyConnect VPN Client Once Downloaded. The instructions below are listed for both Windows and Mac machines, respectively.

Connect to the Cisco AnyConnect VPN Client Once Downloaded

Windows:

  1. Open the Cisco AnyConnect VPN client.
  • Windows 8: On the Start screen, click Cisco AnyConnect Secure Mobility Client.
  • Windows 10: Start > All Apps > Cisco > Cisco AnyConnect Secure Mobility Client.
  • Alternatively, you can click Start and begin typing Cisco AnyConnect Secure Mobility Client and the application will show up. Click on the icon to start the application.
See
  1. Verify that the path in the field underneath “Ready to connect.” is VPN01.ILSTU.EDU.
  • If the path name does not automatically appear, click the arrow to the right of the field and select VPN01.ILSTU.EDU from the drop down menu, or enter the path name manually.
  1. Click Connect.

Figure 1:

  1. When prompted, select the appropriate Group (Figure 1):
  • To access most ISU resources, you will select –ISU-.
  • Important: To access ISU Oracle or SQL database resources directly (via software such as Microsoft Access, Oracle SQL Developer, Microsoft SQL Management Studio, etc.), select DB-User_Access.

Note: When you attempt to connect, you may receive a prompt that tells you that Cisco AnyConnect is updating. Do not attempt to cancel this update, as this update will allow your VPN software to work.

Figure 2:

  1. Enter your ULID and password in the appropriate fields, then click OK.
  2. After a moment, an informational banner window will appear that typically says “Welcome to Illinois State University,” but could display a different, informational message.
  3. Click Accept.

You are now connected with the Cisco AnyConnect VPN client. A Cisco AnyConnecticon with a yellow, locked padlock will be visible in your system tray (in the lower-right corner of your desktop, next to the clock). This indicates that you are connected. If the icon appears without a padlock, this indicates you are no longer connected through VPN.

Mac OS X:

  1. Open the Cisco AnyConnect VPN client. Click Finder > Applications> Cisco > Cisco AnyConnect Secure Mobility Client.

Figure 3:

  • Alternatively, you can search for the application in your “Dashboard” by simply clicking the rocket icon on your bottom toolbar. After that, start typing Cisco AnyConnect Secure Mobility Client and you will see the application. Click on the application to start the set-up process, or to access it once you’ve configured the settings properly.

Figure 4:

  1. Verify that the path in the field underneath “Ready to connect.” reads VPN01.ILSTU.EDU. If the field is empty, you will need to manually enter the file path exactly how it is shown in this article.

Figure 5:

  1. Click Connect.
  2. When prompted, select the appropriate Group (Figure 6):
  • For most ISU resources, you will select –ISU-.
  • Important: To access ISU Oracle or SQL database resources directly (via software such as Microsoft Access, Oracle SQL Developer, Microsoft SQL Management Studio, etc.), select DB-User_Access.

Figure 6:

  1. Enter your ULID and password when prompted to do so and click Connect.
  2. After a moment, an informational banner window will appear that typically says “Welcome to Illinois State University,” but could display a different, informational message.
  3. Click Accept.

You are now connected with the Cisco AnyConnect VPN client. A Cisco AnyConnect icon with a yellow, locked padlock is now in your system tray (in the lower-right corner of your desktop). This indicates that you are connected. If the icon appears without a padlock, this indicates you are no longer connected through VPN.

Disconnect from the VPN

Windows:

To disconnect from the VPN on a Window’s machine:

  1. Locate the Cisco AnyConnect VPN client icon and click on it. It is usually on your toolbar, but if it is not, here are some additional ways to find the application:
  • Windows 8: On the Start screen, click Cisco AnyConnect Secure Mobility Client.
  • Windows 10: Start > All Apps > Cisco > Cisco AnyConnect.
    • Alternatively, you can click [Start] and begin typing Cisco AnyConnect Secure Mobility Client and the application will show up. Click on the icon to start the application so you can disconnect from the VPN.
  1. In the Cisco AnyConnect Secure Mobility Client pane, click Disconnect.

Figure 7:

  1. Close Cisco AnyConnect Secure Mobility Client.

You are now disconnected from VPN.

Mac OSX:

To disconnect from a VPN connection on Cisco AnyConnect on Mac running Mac OS X or later:

  1. Click on the Cisco AnyConnect icon in your Dock.
  2. Click Disconnect.
  3. Close Cisco AnyConnect Secure Mobility Client.

Figure 8:

You are now disconnected from VPN.

Download and Install Cisco AnyConnect for Windows or Mac OS X

Students, faculty, and staff may download the Cisco AnyConnect VPN Client for Windows or Mac OS X from the University IT Help portal by following the directions below:

Windows:

  1. Navigate to the IT Help portal (at ITHelp.IllinoisState.edu),
  2. Click Downloads in the middle of the screen.
  3. Under Cisco AnyConnect, select the version you would like to download. You will need to select the version that is compatible with your machine. You can choose either Windows or Mac.
  4. Click on Windows or Mac and log in with your ULID and password if prompted to do so. You will be directed to a form to request the download file be sent to you. You will need to fill out the required fields in the submission form. Once submitted, your request will be handled in the order it was received. Once approved, you will receive an email. You will then click Download Files and you may be navigated to a Central Login page where you will need to enter your ULID and password. Once you log in, click the file next to Attached Files.

NOTE: If you have never access Liquid Files (SendTo) before, you may see a log in page to log into Liquid Files itself. Instead, you will want to click the SSO Sign In button to be navigated to a Central Login page. You will enter your ULID and password. Upon logging in, you will need to accept some terms and conditions. Once you have done that, you will never be prompted again for an SSO sign in.

  • Upon successfully downloading the installer, you will need to open the installer and follow the prompts.

See All Results For This Question

Figure 9:

  • Agree to the Terms and Conditions and proceed with the installation by clicking Accept. You may need to enter your computer’s profile credentials in order to accept the installation.

Figure 10:

  • Once the software has finished downloading, click Finish to close out of the installation process. You can now access the VPN software.

Mac OS X:

  1. Navigate to the IT Help portal (at ITHelp.IllinoisState.edu),
  2. Click Downloads in the middle of the screen.
  3. Under Cisco AnyConnect, select the version you would like to download. You will need to select the version that is compatible with your machine. You can choose either Windows or Mac.
  4. Click on Windows or Mac and log in with your ULID and password if prompted to do so. You will be directed to a form to request the download file be sent to you. You will need to fill out the required fields in the submission form. Once submitted, your request will be handled in the order it was received. Once approved, you will receive an email. You will then click Download Files and you may be navigated to a Central Login page where you will need to enter your ULID and password. Once you log in, click the file next to Attached Files.

NOTE: If you have never access Liquid Files (SendTo) before, you may see a log in page to log into Liquid Files itself. Instead, you will want to click the SSO Sign In button to be navigated to a Central Login page. You will enter your ULID and password. Upon logging in, you will need to accept some terms and conditions. Once you have done that, you will never be prompted again for an SSO sign in.

  • Upon successfully downloading the installer, you will need to open the installer and follow the prompts. When you get to the Installation Type screen, ensure that only the VPN checkbox is selected, then click Continue to proceed with the installation

Figure 11:

  • Click Continue to finish the installation. Once finished, open the Cisco AnyConnect Secure Mobility Client. You can find it in the Cisco folder in your applications, or can be manually searched in your Launchpad, as instructed above.

Figure 12:

  • Type VPN01.ILSTU.EDU in the empty text field, then press Connect.

Figure 13:

  • Enter your ULID in the Username field and your current password in the Password field. Click OK.

Figure 14:

  • You will see a welcome window. Click Accept to be connected to the VPN.

Figure 15:

Install Cisco AnyConnect Secure Mobility Client On A ...

  • Now that you are connected, you will be able to access university-restricted applications such as iPeople.
  • When you are ready to disconnect from the VPN, go back to the application and click Disconnect and close out of the application.

Figure 16:

How to Get Help

For technical assistance, you may contact the Technology Support Center at 309-438-4357 or by email at SupportCenter@IllinoisState.edu.

Back to Overview:

Related Articles:

Introduction

This document describes how to troubleshoot some of the most common communication issues of the Cisco AnyConnect Secure Mobility Client on Firepower Threat Defense (FTD) when it uses either Secure Socket Layer (SSL) or Internet Key Exchange version 2 (IKEv2).

Contributed by Angel Ortiz and Fernando Jimenez, Cisco TAC Engineers.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco AnyConnect Secure Mobility Client.
  • Cisco FTD.
  • Cisco Firepower Management Center (FMC).
Cisco Anyconnect Is Not Connecting

Components Used

The information in this document is based on these software and hardware versions:

  • FTD managed by FMC 6.4.0.
  • AnyConnect 4.8.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Recommended troubleshoot process

This guide explains how to troubleshoot some common communication issues that AnyConnect clients have when the FTD is used as Remote Access Virtual Private Network (VPN) gateway. These sections address and provide solutions to problems below:

  • AnyConnect clients cannot access internal resources.
  • AnyConnect clients do not have internet access.
  • AnyConnect clients cannot communicate between each other.
  • AnyConnect clients cannot establish phone calls.
  • AnyConnect clients can establish phone calls. However, there is no audio on the calls.

AnyConnect clients cannot access internal resources

Complete these steps:

Step 1. Verify Split tunnel configuration.

  • Navigate to the Connection Profile that AnyConnect clients are connected to: Devices > VPN > Remote Access > Connection Profile > Select the Profile.
  • Navigate to the Group-Policy assigned to that Profile: Edit Group Policy > General.
  • Check the Split Tunneling configuration, as shown in the image.
  • If it's configured as Tunnel networks specified below, verify the Access Control List (ACL) configuration:

Navigate to Objects > Object Management > Access List > Edit the Access List for Split tunneling.

  • Ensure that the networks that you try to reach from the AnyConnect VPN client are listed in that Access List, as shown in the image.

Step 2.Verify Network Address Translation (NAT) exemption configuration.

Remember that we must configure a NAT exemption rule to avoid traffic to be translated to the interface IP address, usually configured for internet access (with Port Address Translation (PAT)).

  • Navigate to the NAT configuration: Devices > NAT.
  • Ensure that the NAT exemption rule is configured for the correct source (internal) and destination (AnyConnect VPN Pool) networks. Also check that the correct source and destination interfaces have been selected, as shown in the image.

Note: When NAT exemption rules are configured, check the no-proxy-arp and perform route-lookup options as a best practice.


Step 3. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect clients is allowed to reach the selected internal networks, as shown in the image.

AnyConnect clients do not have internet access

There are two possible scenarios for this issue.

  1. Traffic destined for the internet must not go through the VPN tunnel.

Ensure that the Group-Policy is configured for Split tunneling as Tunnel networks specifiedbelow and NOT as Allow all traffic over tunnel, as shown in the image.

2. Traffic destined for the Internet must go through the VPN tunnel.

In this case, the most common Group-Policy configuration for Split tunneling would be to select Allow all traffic over tunnel, as shown in the image.

Cisco Anyconnect Is Not Connecting

Step 1. Verify NAT exemption configuration for internal network reachability.

Remember that we must still configure a NAT exemption rule to have access to the internal network. Please review Step 2 of the AnyConnect clients cannot access internal resource section.

Step 2. Verify hairpinning configuration for dynamic translations.

In order for AnyConnect clients to have internet access through the VPN tunnel, we need to ensure that the hairpinning NAT configuration is correct for traffic to be translated to the interface´s IP address.

  • Navigate to the NAT configuration: Devices > NAT.
  • Ensure that the Dynamic NAT rule is configured for the correct interface (Internet Service Provider (ISP) link) as source and destination (hairpinning). Also check that the network used for the AnyConnect VPN address pool is selected in Original source and the Destination Interface IP option is selected for Translated source, as shown in the image.


Step 3. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect clients is allowed to reach the external resources, as shown in the image.

AnyConnect clients cannot communicate between each other

There are two possible scenarios for this issue:

  1. AnyConnect clients with Allow all traffic over tunnel configuration in place.
  2. AnyConnect clients with Tunnel networks specified below configuration in place.
  1. AnyConnect clients with Allow all traffic over tunnel configuration in place.

When Allow all traffic over tunnel is configured for AnyConnect means that all traffic, internal and external, should be forwarded to the AnyConnect headend, this becomes a problem when you have NAT for Public Internet access, since traffic comes from an AnyConnect client destined to another AnyConnect client is translated to the interface IP address and therefore communication fails.

Step 1. Verify NAT exemption configuration.

In order to overcome this problem a manual NAT exemption rule must be configured to allow bidirectional communication within the AnyConnect clients.

Need
  • Navigate to the NAT configuration: Devices > NAT.
  • Ensure that the NAT exemption rule is configured for the correct source (AnyConnect VPN Pool) and destination. (AnyConnect VPN Pool) networks. Also check that the correct hairpin configuration is in place, as shown in the image.

Step 2. Verify Access Control Policy.

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect Clients is allowed, as shown in the image.

2. Anyconnect clients with Tunnel networks specified below configuration in place.

With Tunnel networks specified below configured for the AnyConnect clients only specific traffic is forwarded to through the VPN tunnel. However, we need to ensure that the headend has the proper configuration to allow communication within the AnyConnect clients.

Step 1. Verify NAT exemption configuration.

Please check Step 1, in the Allow all traffic over tunnel section.

Step 2. Verify Split tunneling configuration.

For AnyConnect clients to communicate between them we need to add the VPN pool addresses into the Split-Tunnel ACL.

  • Please follow Step 1 of the AnyConnect clients cannot access internal resources section.
  • Ensure that the AnyConnect VPN Pool network is listed in the Split tunneling Access List, as shown in the image.

Note: If there is more than one IP Pool for AnyConnect clients and communication between the different pools is needed, ensure to add all of the pools in the split tunneling ACL, also add a NAT exemption rule for the needed IP Pools.

Step 3. Verify Access Control Policy.

Ensure that traffic from the AnyConnect clients is allowed as shown in the image.

AnyConnect clients cannot establish phone calls

There are some scenarios where AnyConnect clients need to establish phone calls and video conferences over VPN.

AnyConnect clients can connect to the AnyConnect headend without any problem. They can reach internal and external resources, however phone calls cannot be established.

For this cases we need to consider the follow points:

  • Network topology for voice.
  • Protocols involved. I.e. Session Initiation Protocol (SIP), Rapid Spanning Tree Protocol (RSTP), etc.
  • How the VPN phones connect to the Cisco Unified Communications Manager (CUCM).

By default, FTD and ASA have applications inspection enabled by default in their global policy-map.

In most cases scenarios the VPN phones are not able to establish a reliable communication with the CUCM because the AnyConnect headend has an application inspection enabled that modifies the signal and voice traffic.

For more information about the voice and video application where you can apply application inspection see the follow document:

In order to confirm if an application traffic is dropped or modified by the global policy-map we can use the show service-policy command as shown below.


In this case we can see how SIP inspection drops the traffic.


Moreover, SIP inspection can also translate IP addresses inside the payload, not in the IP header, causes different issues, hence it is recommended to disable it when we want to use voice services over AnyConnect VPN.

In order to disable it we need to complete the next steps:

Step 1. Enter the privileged EXEC mode.

For more information on how to access this mode see the next document:

Step 2. Verify the global policy-map.

Run the next command and verify if SIP inspection is enabled.

Step 3. Disable SIP inspection.

If SIP inspection is enabled, turn it off running command below from clish prompt:

Step 4. Verify the Global Policy-map again.

Ensure that SIP inspection is disabled from the global policy-map:

AnyConnect clients can establish phone calls, however there is no audio on the calls

As mentioned in the previous section, a very common need for AnyConnect clients is to establish phone calls when connected to the VPN. In some cases the call can be established, however clients may experience lack of audio on it. This applies to the next scenarios:

  • No audio on the call between an AnyConnect client and an external number.
  • No audio on the call between an AnyConnect client and another AnyConnect client.

In order to get this fixed, we can follow these steps:

Step 1. Verify Split tunneling configuration.

    • Navigate to the Connection Profile use to connect to: Devices > VPN > Remote Access > Connection Profile > Select the Profile.
    • Navigate to the Group-Policy assigned to that Profile: Edit Group Policy > General.
    • Check the Split Tunneling configuration, as shown in the image.
    • If configured as Tunnel networks specified below, verify the Access List configuration: Objects > Object Management > Access List > Edit the Access List for Split tunneling.
    • Ensure that the Voice Servers and the AnyConnect IP Pool networks are listed in the Split tunneling Access List, as shown in the image.

Step 2. Verify NAT exemption configuration.

NAT exemption rules must be configured to exempt traffic from the AnyConnect VPN network to the Voice Servers network and also to allow bidirectional communication within the AnyConnect clients.

    • Navigate to the NAT configuration: Devices > NAT.
    • ensure that the NAT exemption rule is configured for the correct source (Voice Servers) and destination (AnyConnect VPN Pool) networks, and the hairpin NAT rule to allow AnyConnect client to AnyConnect client communication is in place. Moreover, check that the correct inbound and outbound interfaces configuration is in place for each rule, per your network design, as shown in the image.

Step 3. Verify that SIP inspection is disabled.

Please review the previous section AnyConnect clients cannot establish phone calls to know how to disable SIP inspection.

Step 4. Verify Access Control Policy.

Cisco Anyconnect Not Working

Per your Access Control Policy configuration, ensure that traffic from the AnyConnect clients is allowed to reach the Voice servers and involved networks, as shown in the image.

Related Information

Cisco Anyconnect Is Not Connecting

  • This video provides the configuration example for the different issues discussed in this document.

Cisco Anyconnect Will Not Connect

  • For additional assistance, please contact Technical Assistance center (TAC). A valid support contract is required: Cisco Worldwide Support Contacts.
  • You can also visit the Cisco VPN Community here.