Cisco Anyconnect Secure Mobility Client Install Error

by Jeff Stern

(Note: There is also an alternative method of installing UCI VPN support without using the Cisco client, but using the built-in Debian/Ubuntu openconnect and openvpn drivers, should you find the below method does not work for you, or if you prefer to use open-source non-proprietary software.)

4.Within the Products folder, locate and delete the registry key which contains product information for Cisco AnyConnect Secure Mobility Client. Each registry key within Products is an alphanumeric string. Select the first key and look on the right side for ProductName REGSZ Cisco AnyConnect Secure Mobility Client.

Introduction

The fix is quite simple actually, go to Network Connections from Control Panel, right-click Cisco AnyConnect Security Mobility Client Connection, and choose Properties. Then disable IPv6, change IPv4 IP settings from Fixed IP to Dynamic. Close all Network Properties dialog boxes, and try VPN connecting again. It should go through fine now. If the web based installation is unsuccessful you will be asked to manually install the AnyConnect client. Click the link under 'Install using the link below:' to download the client and complete the installation manually. In Windows: Double-click the downloaded file and click 'Run' to begin the installation. Follow the prompts and then reboot. Allow Captive Portal Remediation—Check to let the Cisco AnyConnect Secure Mobility client lift the network access restrictions imposed by the closed connect failure policy. By default, this parameter is unchecked to provide the greatest security; however, you must enable it if you want the client to connect to the VPN if a captive portal is.

OIT has a good general VPN-Linux page with instructions on setting up the Cisco AnyConnect VPN client software for Linux, but I got tripped up in a couple of places and thought I'd pass on some heads-ups for other Debian and Ubuntu users.

I originally wrote this 'How-To' for Ubuntu v10, and have updated it through v17.04. Sekirei season 3 sub indo bd. It should work for most or all Debian-derived distributions through 9.0 ('Stretch').

Please do write me to let me know how it went for you, and/or with any suggestions. I'd love to hear that it helped someone and/or any improvements that could be added.

Thanks to several for the help getting here.

Summary

In the instructions below, I'll walk you through installing the Cisco VPN client on a Debian or Ubuntu system. When you're done, you'll have two commands available at the command-prompt, which you can run to connect to the campus VPN: 'vpn' (text mode) and 'vpnui' (graphical/windowing).

I used to also include instructions for getting VPN support to show up in the NetworkManager icon/applet in the system tray, for those who used a Gnome based desktop. I no longer do this, as it is too complicated these days to keep up with documenting the various desktop environments, and the changes (and unreliability) of NetworkManager. And it's not really necessary anyway. If you get it going for yourself, though, Kudos to You! :-)

Installing the Cisco AnyConnect client

1. First, make sure you have the necessary Debian/Ubuntu support packages installed:
2. Go to the UCI OIT Cisco Anyconnect/Linux instruction page.
3. Download the 32 or 64 bit client as a .gz file.
• If you are usure whether you should use the 32 or 64 bit client: Most people are on 64-bit machines now. But if you are unsure, just run the uname command like this:As you can see from the above example, my machine has a 64-bit Intel (x86_64) based processor. If you see a '386' somewhere, then you are on a 32-bit machine.
4. From the command prompt, go to the directory you saved the file to, and unpack it and run, just like the OIT instructions. Note you might have to put in some back-slashes because the download file apparently comes with spaces in the file name these days:
5. If you get the following message at the end instead: it most likely means you did not install the two Ubuntu packages up in step 1, above.
   • However, if you have installed those two packages, and are still getting this error, then user Steve Murphy wrote me (2015-12-7) with the tip that running the following did install enough dependent packages as to make it work for him:However, while this may help some users, this normally should not be necessary, and was not in my testing.
     
6. Now reload systemd, scanning for new or changed units:
7. The vpn client should now have been installed on your system and the vpnagentd process started. You can verify this by looking at the active processes:
8. During the installation, the vpnagentd daemon should now be set up to be started each time your system is booted. To verify:or
9. Make command aliases to point to the vpn and vpnui commands:
10. Also add these aliases to the end of your ~/.bashrc or ~/.bash_aliases file:(where you don't actually type the '^D': it means you hit Ctrl-D to finish).
    If you want to edit your aliases file instead directly, you can run a simple editor, 'nano', which is usually available on Debian and Ubuntu systems:

Connecting and Disconnecting

Connecting (Graphical window)

And it should show 'vpn.uci.edu' already. Just click Connect.

If you get an error message about an untrusted server or certificate.

.you can fix that following the instructions from Robert in the section NOTE 1 - Connect-error, below.

(By the way, depending on how the installation went, and whatever of the Linux desktop environments you are using (Gnome, Unity, KDE, Mate, Cinnamon, XFCE, etc.) you may also find that the vpnui graphical client now also appears somewhere in your Applications menu. But don't count on it! This is Linux, after all. :-) )

Connecting (via command-line)

1. To start the client from a command-line prompt in a terminal window, using the alias you made above:
2. At the VPN> prompt, type connect vpn.uci.edu and press Enter. (If you get an error message about an untrusted server or certificate, you can fix that following the instructions from Robert in the section NOTE 1 - Connect-error, below.) Otherwise, you should now see:If you do not see this, but get a connect error instead, please see NOTE 1 - Connect Error below.
3. Ignore the message about entering your UCInetID and password, for now.
4. Choose one of the choices by number and press return -- usually UCI or UCIFull. (See the differences in the Tunnels below.) For instance, for UCI, press 3 and hit Enter.
5. Enter your UCInetID and password in the Username and Password boxes and press return.
6. At the accept? [y/n]: prompt, type y and press Enter. You may get several notices the first time about the downloader performing update checks. At the end you should see a >> state: Connected message and a new VPN> prompt. You are now connected.
7. Either leave the VPN> prompt open or if you want your terminal back just type quit at the VPN> prompt (the connection will remain active).

Connecting automatically via Command-line (w/o typing in your Username/Password)

I never (not yet?) figured out how to get the Cisco anyconnect software to run via script with command-line parameters sufficient for its running without having to type in your username (UCINetID) and password. I looked into the vpn command / executable supplied by Cisco (in the anyconnect-predeploy package) and running -h on it does not give much help.

Therefore, if you need something command-line and automated, I suggest you use the alternative method using open-source openvpn/openconnect software which I mentioned at the very top of this document. I include a way to do that in an automated way, and I find it works just as well and just as fast, but without having to install proprietary Cisco software. (This is the age of Ed Snowden's warning to us all, after all. :-/

NOTE 1 - Connect-error

In most cases I have seen, a connection is made. I have, however, seen the below error before only once. It was when the person was installing on a netbook (running Gnome) which was on campus and usingthe campus wifi system (though I don't know if those factors were the cause). It didn't matter if they answered y or n, they continued to get the error and be denied connection.

Update 2015-12-6: 'Robert' wrote me with a solution to this:

• .the connect error.. can be resolved by sym-linking the cisco ca directory to the system ca directory as cisco only seems to include one root certificate by default. Or you can install the certificate chain from the VPN provider - sym-linking the system certs worked fine for me. Credit goes to: https://plus.google.com/+AndreasKotowicz/posts/2afhvvNZpE6

Thank you, Robert!

To disconnect (gui)

1. Just click disconnect in the window

To disconnect (command-line)

1. At the VPN> prompt, type disconnect and hit Enter.

To exit (command-line)

1. At the VPN> prompt, type quit and hit return.

De-installation / Removal

1. Run Cisco's provided un-install script
2. Optionally, also remove the cisco directory (if you don't need the .log files that were left behind):
   

Additional Hints, Tips, and Handling of Errors and Problems Contributed by Users

Several people have written in to me with some additional tips and solutions which I'll add here:

• From pierrechauffour:
• From zviad aburjania: This turned out to be a missing library fixable by:
• From zviad aburjania (2): (If that link no longer works, it is just recommended to start /opt/cisco/anyconnect/bin/vpnagentd first.)
  
• From pascal müller:

  Pascal researched and found that the error, anyconnect was not able to establish a connection to the specified secure gateway is a known problem with Cisco clients before version 4, when these earlier clients are installed on Ubuntu 16.04+. The solution is either to downgrade your Ubuntu, or upgrade your Cisco client. At my university we have upgraded to offering version 4 (anyconnect-predeploy-linux-64-4.3.05017-k9.tar.gz), and this supposedly works with the newer Ubuntus. I did not myself test the new version 4 Anyconnect client with Ubuntus 15.x and 16.x. Metal gear rising revengeance mods. But I have tested it today (April 27 2017) with my Ubuntu 17.04 system, and it works great.

Contact / Feedback

Please email me to let me know how this process went for you, and/or with any suggestions for improvement on this page itself. Thanks.

Acknowledgements

Thanks to:

1. Mike Iglesias and Sylvia Bass at UCI's OIT for for putting up the link to here from their VPN-Linux page.
2. a page at Georgia Tech (now defunct), from which part of this page (the old Section 2, no longer included) was originally adapted.
3. Joe Remenak for clear, concise feedback on some additional steps (1 and 11) necessary now for the newer 64-bit Ubuntus.
4. Tom Distler, for the Tux/Cisco image at the top of this page, which I mooched from his page, How to connect Linux to a Cisco VPN using a PCF file.
5. James Condie at UCI, who encountered multiple problems with the latest changes in the 4.3.05017 version of Cisco's install -- but patiently stuck with it -- thus encouraging me to update this page once again, and clarify a few additional things for newer Linux users.
6. Philippe Moisan, who caught and reported an incompatibility with the find vpnagentd command above in Installation Step 8, for some versions of Linux, and offered also a fix: to put quotes around the '*vpnagentd*' which should work with all flavors of find.

Last Updated Oct 30 2017

Cisco AnyConnect Secure Mobility Client is a not just a VPN modular endpoint software product that provides endpoints access to secure resources but also provides extra layers of security necessary to help keep your organisation safe and protected. Cisco AnyConnect Secure Mobility Client provides Virtual Private Network (VPN) access through Secure Sockets Layer (SSL) and Internet Protocol Security (IPsec) Internet Key Exchange version2 (IKEv2) and offers enhanced security through various built-in modules. These built-in modules provide services such as compliance through the VPN with ASA or through wired, wireless, and VPN with Cisco Identity Services Engine (ISE), web security alongside Cisco Cloud Web Security, network visibility into endpoint flows within Stealthwatch, or off-network roaming protection with Cisco Umbrella.

How To Install Anyconnect Client

Cisco Anyconnect is an easy to use,reliable and highly secure mobility client which provides secure VPN to users regardless where they are working from. On a single click ,one is connected to office environment from anywhere and is safe and malware threat proof. Also the companies can monitor what all devices are connected to their network from outside as access to it is granted by following certain set of approval which are set at organisational level. For organisations moving towards agility, it gives flexibility, reliability and connectivity that is needed.

How to Install the Cisco AnyConnect Secure Mobility Client

Step 1. Download the Cisco AnyConnect VPN Client here.

Note: Install the AnyConnect Pre-deployment Package for Windows.

Step 2. To install Click Run.

Step 3. Check the check boxes for the modules that you need to install.

Note: All modules will be installed by default.

Step 4. (Optional) Check the Lock Down Component Services check box if the feature needs to be enabled. Enabling this feature will prevent users from disabling the Windows Web Security service.

Note: In this example, Lock Down Component Services is not enabled.

Step 5. Click Install Selected.

Step 6. Click OK.

Step 7. Go over the Supplemental End User License Agreement and then click Accept.

Step 8. Restart your computer.

You should now have successfully installed the Cisco AnyConnect Secure Mobility Client on your computer.

Using the Cisco AnyConnect Secure Mobility Client VPN

When launching the Cisco AnyConnect Secure Mobility Client its icon appears in the system tray (bottom of the screen, on the right hand side).

• To connect to your VPN, renter your VPN address as per the image below. Afterwards click ‘Connect'.

• Enter your username and password.
• To stop the VPN connection, double click the ASA VPN client icon and select Disconnect.

Tip: Disconnect the VPN connection when you are not using it.

Basic Troubleshooting on Cisco AnyConnect Secure Mobility Client Errors

1. Problem: Network Access Manager fails to recognise your wired adapter.

Solution: Try unplugging your network cable and reinserting it. If this does not work, you may have a link issue. The Network Access Manager may not be able to determine the correct link state of your adapter. Check the Connection Properties of your Network Interface Card (NIC) driver. You may have a 'Wait for Link' option in the Advanced Panel. When the setting is On, the wired NIC driver initialization code waits for auto negotiation to complete and then determines if a link is present.

2. Problem: When AnyConnect attempts to establish a connection, it authenticates successfully and builds the Secure Socket Layer (SSL)session, but then the AnyConnect client crashes in the vpndownloader if using Label-Switched Path (LSP) or NOD32 Antivirus.

Solution: Remove the Internet Monitor component in version 2.7 and upgrade to version 3.0 of ESET NOD32 AV.

3. Problem: When using McAfee Firewall 5, a User Datagram Protocol (UDP)Datagram Transport Layer Security (DTLS) connection cannot be established.

Solution: In the McAfee Firewall central console, choose Advanced Tasks > Advanced options and Logging and uncheck the Block incoming fragments automatically check box in McAfee Firewall.

4. Problem: The connection fails due to lack of credentials.

Solution: The third-party load balancer has no insight into the load on the Adaptive Security Appliance (ASA) devices. Because the load balance functionality in the ASA is intelligent enough to evenly distribute the VPN load across the devices, using the internal ASA load balancing instead is recommended.

Cisco Anyconnect Secure Mobility Client Install Error Failed

5. Problem: The AnyConnect client fails to download and produces the following error message:

Cisco Anyconnect Secure Mobility Install

Solution: Upload the patch update to version 1.2.1.38 to resolve all dll issues.

6. Problem: If you are using Bonjour Printing Services, the AnyConnect event logs indicate a failure to identify the IP forwarding table.

Solution: Disable the Bonjour Printing Service by typing net stop 'bonjour service' at the command prompt. A new version of mDNSResponder (1.0.5.11) has been produced by Apple. To resolve this issue, a new version of Bonjour is bundled with iTunes and made available as a separate download from the Apple web site.

7. Problem: If a Label-Switched Path (LSP) module is present on the client, a Winsock catalogue conflict may occur.

Cisco Anyconnect Secure Mobility Client Installation Success Or Error Status 1603

Solution: Uninstall the LSP module.

8. Problem: You receive an 'Unable to Proceed, Cannot Connect to the VPN Service' message. The VPN service for AnyConnect is not running.

Solution: Determine if another application conflicted with the service by going to the Windows Administration Tools then make sure that the Cisco AnyConnect VPN Agent is not running. If it is running and the error message still appears, another VPN application on the workstation may need to be disabled or even uninstalled. After taking that action, reboot, and repeat this step.

Cisco Anyconnect Secure Mobility Client Windows 10

9. Problem: When Kaspersky 6.0.3 is installed (even if disabled), AnyConnect connections to the ASA fail right after CSTP state = CONNECTED. The following message appears:

Solution: Uninstall Kaspersky and refer to their forums for additional updates.

This troubleshooting guide is referenced at the Cisco Website. For more information click here.