Troubleshoot AnyConnect

• Gather Information for Troubleshooting, on page 1

• AnyConnect Connection or Disconnection Issues, on page 4
• VPN Service Failures, on page 7
• Driver Crashes, on page 8
• Other Crashes, on page 9
• Security Alerts, on page 10
• Dropped Connections, on page 11
• Installation Failures, on page 13
• Incompatibility Issues, on page 13
• Known Third-Party Application Conflicts, on page 15

Gather Information for Troubleshooting

View Statistical Details
An administrator or end user can view statistical information for a current AnyConnect session.

Procedure

Step 1 On Windows, navigate to Advanced Window > Statistics > VPN drawer. On Linux, click the Details
button on the user GUI.
Step 2 Choose from the following options, depending upon the packages that are loaded on the client computer.
• Export Stats—Saves the connection statistics to a text file for later analysis and debugging.
• Reset—Resets the connection information to zero. AnyConnect immediately begins collecting new data.
• Diagnostics—Launches the AnyConnect Diagnostics and Reporting Tool (DART) wizard which bundles
specified log files and diagnostic information for analyzing and debugging the client connection.

Troubleshoot AnyConnect
1
 Troubleshoot AnyConnect
Run DART to Gather Data for Troubleshooting

Run DART to Gather Data for Troubleshooting

DART is the AnyConnect Diagnostics and Reporting Tool that you can use to collect data for troubleshooting
AnyConnect installation and connection problems. DART assembles the logs, status, and diagnostic information
for Cisco Technical Assistance Center (TAC) analysis.
The DART wizard runs on the device that runs AnyConnect. DART does not require administrator privileges.
You can launch DART from AnyConnect, or by itself without AnyConnect.
The following operating systems are supported:
• Windows
• macOS
• Linux

Procedure

Step 1 Launch DART:

• For a Windows device, launch the Cisco AnyConnect Secure Mobility Client.
• For a Linux device, choose Applications > Internet > Cisco DART
or /opt/cisco/anyconnect/dart/dartui.
• For a Mac device, choose Applications > Cisco > Cisco DART .

Step 2 Click the Statistics tab and then click Diagnostics.

Step 3 Choose Default or Custom bundle creation.
• Default—Includes the typical log files and diagnostic information, such as the AnyConnect log files,
general information about the computer, and a summary of what DART did and did not do. The default
name for the bundle is DARTBundle.zip, and it is saved to the local desktop.
• Custom—Allows you to specify what files you want to include in the bundle (or the default files) and
where to store the bundle.

Note Default is the only option for macOS. You cannot customize which files to include in the bundle.

Note If you select Custom, you can configure which files to include in the bundle, and specify a different
storage location for the file.

Step 4 If DART seems to be taking a long time to gather the default list of files, click Cancel, re-run DART, and
choose Custom selecting fewer files.
Step 5 If you chose Default, DART starts creating the bundle. If you chose Custom, continue following the wizard
prompts to specify logs, preference files, diagnostic information, and any other customizations.

Troubleshoot AnyConnect
2
 Troubleshoot AnyConnect
Collect Logs to Gather Data for Install or Uninstall Issues (for Windows)

Collect Logs to Gather Data for Install or Uninstall Issues (for Windows)
If you have an AnyConnect install or uninstall failure, you need to collect logs, because the DART collection
does not have diagnostics for this.
Run the msiexec command in the same directory where you unzipped AnyConnect files:
• For install failures, enter
C:/temp>msiexec /i anyconnect-win-version-pre-deploy-k9.msi /lvx c:/Temp/ac-install.log?

where c:/temp/ac-install.log? can be a filename of your choice.

• For uninstall failures, enter
c:/temp/msiexec /x anyconnect-win-version-pre-deploy-k9.msi /lvx c:/Temp/ac-install.log?

where c:/temp/ac-uninstall.log? can be a filename of your choice.

Note For uninstall failures, you should use the MSI specific to the version currently installed.

You can alter the same commands above to capture information about any module on Windows which is not
installing or uninstalling correctly.

Get Computer System Info

For Windows type msinfo32 /nfo c:\msinfo.nfo.

Get Systeminfo File Dump

For Windows type c:\sysinfo.txt at the sysinfo command prompt.

Check Registry File

An entry in the SetupAPI log file as below indicates a file cannot be found:

E122 Device install failed. Error 2: The system cannot find the file specified.
E154 Class installer failed. Error 2: The system cannot fine the file specified.

Make sure the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

registry key exists. Without this registry key, all inf install packages are forbidden.

Location of AnyConnect Log Files

The logs are retained in the following files:
Windows—\Windows\Inf\setupapi.app.log or \Windows\Inf\setupapi.dev.log
• Windows—\Windows\Inf\setupapi.app.log or \Windows\Inf\setupapi.dev.log

Troubleshoot AnyConnect
3
 Troubleshoot AnyConnect
AnyConnect Connection or Disconnection Issues

Note In Windows, you must make the hidden files visible.

If this is an initial web deployment install, the log file is located in the per-user temp directory:
%TEMP%\anyconnect-win-4.X.xxxxx-k9-install-yyyyyyyyyyyyyy.log.
If an upgrade was pushed from the optimal gateway, the log file is in the following location:
%WINDIR%\TEMP\anyconnect-win-3.X.xxxxx-k9-install-yyyyyyyyyyyyyy.log.
Obtain the most recent file for the version of the client you want to install. The xxx varies depending on the
version, and the yyyyyyyyyyyyyy specifies the date and time of the install.

AnyConnect Connection or Disconnection Issues

AnyConnect Not Establishing Initial Connection or Not Disconnecting
Problem AnyConnect will not establish initial connection, or you get unexpected results when you click
Disconnect on the Cisco AnyConnect Secure Mobility Client window.
Solution Check the following:
• If you are using Citrix Advanced Gateway Client Version 2.2.1, remove the Citrix Advanced Gateway
Client until the CtxLsp.dll issue is resolved by Citrix.
• If you are using AT&T Communication Manager Version 6.2 or 6.7 with an AT&T Sierra Wireless 875
card, follow these steps to correct the problem:
1. Disable acceleration on the Aircard.
2. Launch AT&T communication manager > Tools > Settings > Acceleration > Startup.
3. Type manual.
4. Click Stop.
• Obtain the config file from the ASA to look for signs of a connection failure:
• From the ASA console, type write net x.x.x.x:ASA-Config.txt, where x.x.x.x is the IP address of
the TFTP server on the network.
• From the ASA console, type show running-config. Cut and paste the config into a text editor and
save.

• View the ASA event logs:

1. At the ASA console, add the following lines to look at the ssl, webvpn, anyconnect, and auth events:

config terminal
logging enable
logging timestamp
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
logging class anyconnect console debugging

Troubleshoot AnyConnect
4
Troubleshoot AnyConnect
AnyConnect Not Establishing Initial Connection or Not Disconnecting

2. Attempt an AnyConnect client connection, and when the connect error occurs, cut and paste the log
information from the console into a text editor and save.
3. Type no logging enable to disable logging.

• Obtain Cisco AnyConnect VPN client log from the client computer using the Windows Event Viewer.
1. Choose Start > Run and type eventvwr.msc /s.
2. Locate the Cisco AnyConnect VPN Client in the Applications and Services Logs (of Windows 7)
and choose Save Log File As...
3. Assign a filename, for example, AnyConnectClientLog.evt. You must use the .evt file
format.
• Modify the Windows Diagnostic Debug Utility.
1. Attach the vpnagent.exe process as shown in the WinDbg documentation.
2. Determine if there is a conflict with the IPv6/IPv4 IP address assignments. Look in the event logs
for any idenfied conflicts.
3. If a conflict was identified, add additional routing debugs to the registry of the client computer being
used. These conflicts may appear in the AnyConnect event logs as follows:

Function: CRouteMgr:modifyRoutingTable Return code: 0xFE06000E File: .\VpnMgr.cpp

Line:1122
Description: ROUTEMGR_ERROR_ROUTE_TABLE_VERIFICATION_FAILED.
Termination reason code 27: Unable to successfully verify all routing table
modifications are correct.

Function: CChangeRouteTable::VerifyRouteTable Return code: 0xFE070007

File: .\RouteMgr.cpp Line: 615 Description: ROUTETABLE_ERROR_NOT_INITIALIZED
gr.cpp Line: 615 Description: ROUTETABLE_ERROR_NOT_INITIALIZED

4. Enable route debugging on a one-time basis for a connection by adding a specific registry entry
(Windows) or file (Linux and macOS).
• On 32-bit Windows, the DWORD registry value must be
HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Cisco AnyConnect Secure Mobility
Client\DebugRoutesEnabled

• On 64-bit Windows, the DWORD registry value must be

HKEY_LOCAL_MACHINE\Software\WOW6432node\Cisco\Cisco AnyConnect Secure Mobility
Client\DebugRoutesEnabled

• On Linux or macOS, create a file in the following path using the sudo touch command:
/opt/cisco/anyconnect/debugroutes

Note The key or file is deleted when the tunnel connection is started. The value of the
key or content of the file is not important as the existence of the key or file is
sufficient to enable debugging.
Start a VPN connection. When this key or file is found, two route debug text files
are created in the system temp directory (usually C:\Windows\Temp on Windows
and /tmp on Mac or Linux). The two files (debug_routechangesv4.txt4 and
debug_routechangesv6.txt) are overwritten if they already exist.

Troubleshoot AnyConnect
5
 Troubleshoot AnyConnect
AnyConnect Not Passing Traffic

AnyConnect Not Passing Traffic

Problem The AnyConnect client cannot send data to the private network once connected.
Solution Check the following:
• If you are using AT&T Communication Manager Version 6.2 or 6.7 with an AT&T Sierra Wireless 875
card, follow these steps to correct the problem:
1. Disable acceleration on the Aircard.
2. Launch AT&T communication manager > Tools > Settings > Acceleration > Startup.
3. Type manual.
4. Click Stop.
• Obtain the output of the show vpn-sessiondb detail anyconnect filter name <username> command. If the
output specifies Filter Name: XXXXX, get the output for the show access-list XXXXX command as
well. Verify that the ACL is not blocking the intended traffic flow.
• Obtain the DART file or the output from AnyConnect VPN Client > Statistics > Details > Export
(AnyConnect-ExportedStats.txt). Observe the statistics, interfaces, and routing table.
• Check the ASA config file for NAT statements. If NAT is enabled, you must exempt data returning to
the client from network address translation. For example, to NAT exempt the IP addresses from the
AnyConnect pool, the following code would be used:

access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0

ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0
nat (inside) 0 access-list in_nat0_out

• Verify whether the tunneled default gateway is enabled for the setup. The traditional default gateway is
the gateway of last resort for non-decrypted traffic:

route outside 0.0.209.165.200.225

route inside 0 0 10.0.4.2 tunneled

If a VPN client needs to access a resource that is not in the routing table of the VPN gateway, packets
are routed by the standard default gateway. The VPN gateway does not need to have the whole internal
routing table. If you use a tunneled keyword, the route handles decrypted traffic coming from IPsec/SSL
VPN connection. Standard traffic routes to 209.165.200.225 as a last resort, while traffic coming from
the VPN routes to 10.0.4.2 and is decrypted.
• Collect a text dump of ipconfig /all and a route print output before and after establishing a tunnel with
AnyConnect.
• Perform a network packet capture on the client or enable a capture on the ASA.

Note If some applications (such as Microsoft Outlook) do not operate with the tunnel,
ping a known device in the network with a scaling set of pings to see what size
gets accepted (for example, ping -| 500, ping -| 1000, ping -| 1500, and ping -|
2000). The ping results provide clues to the fragmentation issues in the network.
Then you can configure a special group for users who might experience
fragmentation and set the anyconnect mtu for this group to 1200. You can also
copy the Set MTU.exe utility from the old IPsec client and force the physical
adapter MTU to 1300. Upon reboot, see if you notice a difference.

Troubleshoot AnyConnect
6
 Troubleshoot AnyConnect
VPN Service Failures

VPN Service Failures

VPN Service Connection Fails
Problem You receive an “Unable to Proceed, Cannot Connect to the VPN Service” message. The VPN
service for AnyConnect is not running.
Solution Determine if another application conflicted with the service. See Determine What Conflicted With
Service.

Determine What Conflicted With Service

The following procedure determines if the conflict is with the initialization of the server at boot-up or with
another running service, for example, because the service failed to start.

Procedure

Step 1 Check the services under the Windows Administration Tools to ensure that the Cisco AnyConnect VPN Agent
is not running. If it is running and the error message still appears, another VPN application on the workstation
may need disabled or even uninstalled. After taking that action, reboot, and repeat this step.
Step 2 Try to start the Cisco AnyConnect VPN Agent.
Step 3 Check the AnyConnect logs in the Event Viewer for any messages stating that the service was unable to start.
Notice the time stamps of the manual restart from Step 2, as well as when the workstation was booted up.
Step 4 Check the System and Application logs in the Event Viewer for the same general time stamps of any messages
of conflict.
Step 5 If the logs indicate a failure starting the service, look for other information messages around the same time
stamp which indicate one of the following:
• a missing file—reinstall the AnyConnect client from a stand-alone MSI installation to rule out a missing
file.
• a delay in another dependent service—disable startup activities to speed up the workstation’s boot time.
• a conflict with another application or service—determine whether another service is listening on the
same port as the port the vpnagent is using or if some HIDS software is blocking our software from
listening on a port.

Step 6 If the logs do not point directly to a cause, use the trial and error method to identify the conflict. When the
most likely candidates are identified, disable those services (such as VPN products, HIDS software, spybot
cleaners, sniffers, antivirus software, and so on) from the Services panel.
Step 7 Reboot. If the VPN Agent service still fails to start, start turning off services that were not installed by a default
installation of the operating system.

Troubleshoot AnyConnect
7
 Troubleshoot AnyConnect
VPN Client Driver Encounters Error (after a Microsoft Windows Update)

VPN Client Driver Encounters Error (after a Microsoft Windows Update)

Problem If you recently updated the Microsoft certclass.inf file, the following message is encountered when
trying to establish a VPN connection:

The VPN client driver has encountered an error.

If you check the C:\WINDOWS\setupapi.log, you can see the following error:

#W239 The driver signing class list “C:\WINDOWS\INF\certclass.inf” was missing or invalid.
Error 0xfffffbf8: Unknown Error. Assuming all device classes are subject to driver signing
policy.

Solution Check which updates have recently been installed by entering C:\>systeminfo at the command
prompt or checking the C:\WINDOWS\WindowsUpdate.log. Follow the instructions to repair the VPN driver.

Repair VPN Client Driver Error

Even though the steps taken above may indicate that the catalog is not corrupt, the key file(s) may still have
been overwritten with an unsigned one. If the failure still occurs, open a case with Microsoft to determine
why the driver signing database is being corrupted.

Procedure

Step 1 Open a command prompt as an admin.

Step 2 Enter net stop CryptSvc.
Step 3 Analyze the database to verify its validity by entering esentutl /g
%systemroot%\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb or rename the
following directory: %/WINDIR%\system32\catroot2 to catroot2_old.
Step 4 When prompted, choose OK to attempt the repair. Exit the command prompt and reboot.

Driver Crashes
Fix Driver Crashes in VPNVA.sys
Problem VPNVA.sys driver crashes.
Solution Find any intermediate drivers that are bound to the Cisco AnyConnect Virtual Adapter and uncheck
them.

Troubleshoot AnyConnect
8
 Troubleshoot AnyConnect
Fix Driver Crashes in vpnagent.exe

Fix Driver Crashes in vpnagent.exe

Procedure

Step 1 Create a directory called c:\vpnagent.

Step 2 Look at the Process tab in the Task Manager and determine the PID of the process in vpnagent.exe.
Step 3 Open a command prompt and change to the directory where you installed the debugging tools. By default,
the debugging tools for Windows are located in C:\Program Files\Debugging Tools.
Step 4 Type cscript vpnagent4.vbs -crash -p PID -o c:\vpnagent -nodumponfirst, where PID is the PID of
vpnagent.exe.
Step 5 Let the open window run in minimized state. You cannot log off of the system while you are monitoring.
Step 6 When the crash occurs, collect the contents of c:\vpnagent in a zip file.
Step 7 Use !analyze -v to further diagnose the crashdmp file.

Link/Driver Issues with Network Access Manager

If the Network Access Manager fails to recognize your wired adapter, try unplugging your network cable and
reinserting it. If this does not work, you may have a link issue. The Network Access Manager may not be able
to determine the correct link state of your adapter. Check the Connection Properties of your NIC driver. You
may have a "Wait for Link" option in the Advanced Panel. When the setting is On, the wired NIC driver
initialization code waits for auto negotiation to complete and then determines if a link is present.

Other Crashes
AnyConnect Crashes
Problem You received a “the system has recovered from a serious error” message after a reboot.
Solution Gather the .log and .dmp generated files from the %temp% directory (such as
C:\DOCUME~1\jsmith\LOCALS~1\Temp). Copy the files or back them up. See How to Back Up .log or
.dmp Files.

How to Back Up .log or .dmp Files

Procedure

Step 1 Run the Microsoft utility called Dr. Watson (Drwtsn32.exe) from the Start > Run menu.
Step 2 Configure the following and click OK:

Number of Instructions : 25
Number of Errors to Save : 25
Crash Dump Type : Mini

Troubleshoot AnyConnect
9
 Troubleshoot AnyConnect
AnyConnect Crashes in vpndownloader (Layered Service Provider (LSP) Modules and NOD32 AV)

Dump Symbol Table : Checked

Dump All Thread Contexts : Checked
Append to Existing Log File : Checked
Visual Notification : Checked
Create Crash Dump File : Checked

Step 3 On the client computer, get the Cisco AnyConnect VPN client log from the Windows Event Viewer by entering
eventvwr.msc /s at the Start > Run menu.
Step 4 Locate the Cisco AnyConnect VPN Client in the Applications and Services Logs (of Windows 7) and choose
Save Log File As... Assign a filename such as AnyConnectClientLog.evt in the .evt file format.

AnyConnect Crashes in vpndownloader (Layered Service Provider (LSP)

Modules and NOD32 AV)
Problem When AnyConnect attempts to establish a connection, it authenticates successfully and builds the
ssl session, but then the AnyConnect client crashes in the vpndownloader if using LSP or NOD32 AV.
Solution Remove the Internet Monitor component in version 2.7 and upgrade to version 3.0 of ESET NOD32
AV.

Blue Screen (AT & T Dialer)

Problem If you are using an AT&T Dialer, the client operating system sometimes experiences a blue screen,
which causes the creation of a mini dump file.
Solution Upgrade to the latest 7.6.2 AT&T Global Network Client.

Security Alerts
Microsoft Internet Explorer Security Alert
Problem A security alert window appears in Microsoft Internet Explorer with the following text:

Information you exchange with this site cannot be viewed or changed by others. However,
there is a problem with the site's security certificate. The security certificate was issued
by a company you have not chosen to trust. View the certificate to determine whether you
want to trust the certifying authority.

Solution This alert may appear when connecting to an ASA that is is not recognized as a trusted site. To
prevent this alert, install a trusted root certificate on a client. See Install Trusted Root Certificates on a Client.

“Certified by an Unknown Authority” Alert

Problem A “Web Site Certified by an Unknown Authority” alert window may appear in the browser. The
upper half of the Security Alert window shows the following text:

Unable to verify the identity of <Hostname_or_IP_address> as a trusted site.

Troubleshoot AnyConnect
10
 Troubleshoot AnyConnect
Install Trusted Root Certificates on a Client

Solution This security alert may appear when connecting to an ASA that is not recognized as a trusted site.
To prevent this alert, install a trusted root certificate on a client. See Install Trusted Root Certificates on a
Client.

Install Trusted Root Certificates on a Client

Before you begin

Generate or obtain the certificate to be used as the trusted root certificate.

Note You can avoid security certificate warnings in the short term by installing a self-signed certificate as a trusted
root certificate on the client. However, we do not recommend this because of the possibility that a user could
inadvertently configure a browser to trust a certificate on a rogue server and because of the inconvenience to
users of having to respond to a security warning when connecting to your secure gateway.

Procedure

Step 1 Click View Certificate in the Security Alert window.

Step 2 Click Install Certificate.
Step 3 Click Next.
Step 4 Select Place all certificates in the following store.
Step 5 Click Browse.
Step 6 In the drop-down list, choose Trusted Root Certification Authorities.
Step 7 Continue following the Certificate Import wizard prompts.

Dropped Connections
Wireless Connection Drops When Wired Connection is Introduced (Juniper
Odyssey Client)
Problem When wireless suppression is enabled on an Odyssey client, the wireless connection drops if a wired
connection is introduced. With wireless suppression disabled, the wireless operates as expected.
Solution Configure the Odyssey Client.

Troubleshoot AnyConnect
11
 Troubleshoot AnyConnect
Configure the Odyssey Client

Configure the Odyssey Client

Procedure

Step 1 In Network Connections, copy the name of the adapter as it appears in its connection properties. If you edit
the registry, perform a backup before making any changes and use caution as serious problems can occur if
modified incorrectly.
Step 2 Open the registry and go to HKEY_LOCAL_MACHINE\SOFTWARE\Funk Software,
Inc.\odyssey\client\configuration\options\adapterType\virtual.
Step 3 Create a new string value under virtual. Copy the name of the adapter from Network properties into the registry
portion. The additional registry settings, once saved, are ported over when a customer MSI is created and is
pushed down to other clients.

Connections to the ASA Fail (Kaspersky AV Workstation 6.x)

Problem When Kaspersky 6.0.3 is installed (even if disabled), AnyConnect connections to the ASA fail right
after CSTP state = CONNECTED. The following message appears:

SVC message: t/s=3/16: Failed to fully establish a connection to the secure gateway (proxy
authentication, handshake, bad cert, etc.).

Solution Uninstall Kaspersky and refer to their forums for additional updates.

No UDP DTLS Connection (McAfee Firewall 5)

Problem When using McAfee Firewall 5, a UDP DTLS connection cannot be established.
Solution In the McAfee Firewall central console, choose Advanced Tasks > Advanced options and Logging
and uncheck the Block incoming fragments automatically check box in McAfee Firewall.

Connection to the Host Device Fails (Microsoft Routing and Remote Access
Server)
Problem If you are using RRAS, the following termination error is returned to the event log when AnyConnect
attempts to establish a connection to the host device:

Termination reason code 29 [Routing and Remote Access service is running]

The Windows service “Routing and Remote Access” is incompatible with the Cisco AnyConnect
VPN Client.

Solution Disable the RRAS service.

Failed Connection/Lack of Credentials (Load Balancers)

Problem The connection fails due to lack of credentials.

Troubleshoot AnyConnect
12
 Troubleshoot AnyConnect
Installation Failures

Solution The third-party load balancer has no insight into the load on the ASA devices. Because the load
balance functionality in the ASA is intelligent enough to evenly distribute the VPN load across the devices,
we recommend using the internal ASA load balancing instead.

Installation Failures
AnyConnect Fails to Download (Wave EMBASSY Trust Suite)
Problem The AnyConnect client fails to download and produces the following error message:

“Cisco AnyConnect VPN Client Downloader has encountered a problem and needs to close.”

Solution Upload the patch update to version 1.2.1.38 to resolve all dll issues.

Incompatibility Issues
Failure to Update the Routing Table (Bonjour Printing Service)
Problem If you are using Bonjour Printing Services, the AnyConnect event logs indicate a failure to identify
the IP forwarding table.
Solution Disable the BonJour Printing Service by typing net stop “bonjour service” at the command prompt.
A new version of mDNSResponder (1.0.5.11) has been produced by Apple. To resolve this issue, a new
version of Bonjour is bundled with iTunes and made available as a separate download from the Apple web
site.

Version of TUN is Incompatible (OpenVPN Client)

Problem An error indicates that the version of TUN is already installed on this system and is incompatible
with the AnyConnect client.
Solution Uninstall the Viscosity OpenVPN Client.

Winsock Catalog Conflict (LSP Symptom 2 Conflict)

Problem If an LSP module is present on the client, a Winsock catalog conflict may occur.
Solution Uninstall the LSP module.

Slow Data Throughput (LSP Symptom 3 Conflict)

Problem Slow data throughput may occur with the use of NOD32 Antivirus V4.0.468 x64 using Windows
7.
Solution Disable SSL protocol scanning. See Disable SSL Protocol Scanning.

Troubleshoot AnyConnect
13
 Troubleshoot AnyConnect
Disable SSL Protocol Scanning

Disable SSL Protocol Scanning

Procedure

Step 1 Go to Protocol Filtering > SSL in the Advanced Setup and enable SSL protocol scanning.
Step 2 Go to Web access protection > HTTP, HTTPS and check Do not use HTTPS protocol checking.
Step 3 Go back to Protocol filtering > SSL and disable SSL protocol scanning.

DPD Failure (EVDO Wireless Cards and Venturi Driver)

Problem If you are using a EVDO wireless card and Venturi driver while a client disconnect occurred, the
event log reports the following:

%ASA-5-722037: Group <Group-Name> User <User-Name> IP <IP-Address> SVC closing connection:

DPD failure.

Solution
• Check the Application, System, and AnyConnect event logs for a relating disconnect event and determine
if a NIC card reset was applied at the same time.
• Ensure that the Venturi driver is up to date. Disable Use Rules Engine in the 6.7 version of the AT&T
Communications Manager.

DTLS Traffic Failing (DSL Router)

Problem If you are connecting with a DSL router, DTLS traffic may fail even if successfully negotiated.
Solution Connect to a Linksys router with factory settings. This setting allows a stable DTLS session and
no interruption in pings. Add a rule to allow DTLS return traffic.

NETINTERFACE_ERROR (CheckPoint and other Third-Party Software such as

Kaspersky)
Problem When attempting to retrieve operating system information on the computer’s network used to make
the SSL connection, the AnyConnect log may indicate a failure to fully establish a connection to the secure
gateway.
Solution
• If you are uninstalling the Integrity Agent and then installing AnyConnect, enable TCP/IP.
• Ensure that if you disable SmartDefense on Integrity agent installation, TCP/IP is checked.
• If third-party software is intercepting or otherwise blocking the operating system API calls while retrieving
network interface information, check for any suspect AV, FW, AS, and such.

Troubleshoot AnyConnect
14
 Troubleshoot AnyConnect
Performance Issues (Virtual Machine Network Service Drivers)

• Confirm that only one instance of the AnyConnect adapter appears in the Device Manager. If there is
only one instance, authenticate with AnyConnect, and after 5 seconds, manually enable the adapter from
the Device Manager.
• If any suspect drivers have been enabled within the AnyConnect adapter, disable them by unchecking
them in the Cisco AnyConnect VPN Client Connection window.

Performance Issues (Virtual Machine Network Service Drivers)

Problem When using AnyConnect on some Virtual Machine Network Service devices, performance issues
have resulted.
Solution Uncheck the binding for all IM devices within the AnyConnect virtual adapter. The application
dsagent.exe resides in C:\Windows\System\dgagent. Although it does not appear in the process list, you can
see it by opening sockets with TCPview (sysinternals). When you terminate this process, normal operation
of AnyConnect returns.

Known Third-Party Application Conflicts

The following third-party applications have known complications with Cisco AnyConnect Secure Mobility
Client:
• Adobe and Apple—Bonjour Printing Service
• Adobe Creative Suite 3
• BonJour Printing Service
• iTunes

• AT&T Communications Manager Versions 6.2 and 6.7

• AT&T Sierra Wireless 875 card

• AT&T Global Dialer

• Citrix Advanced Gateway Client Version 2.2.1
• Firewall Conflicts
• Third-party firewalls can interfere with the firewall function configured on the ASA group policy.

• Juniper Odyssey Client

• Kaspersky AV Workstation 6.x
• McAfee Firewall 5
• Microsoft Internet Explorer 8
• Microsoft Routing and Remote Access Server
• Microsoft Windows Update
• OpenVPN client

Troubleshoot AnyConnect
15
 Troubleshoot AnyConnect
Known Third-Party Application Conflicts

• Load balancers
• Wave EMBASSY Trust Suite
• Layered Service Provider (LSP) Modules and NOD32 AV
• EVDO Wireless Cards and Venturi Driver
• DSL routers
• CheckPoint and other Third-Party Software such as Kaspersky
• Virtual Machine Network Service Drivers

Troubleshoot AnyConnect
16