+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #1

    Default Anyconnect client with Secure Desktop problems

    I have two weird problems which I can't seem to resolve. I opened a ticket with Cisco and spent 3 hours today with CCIE:S on the phone. He said he will need some time to research.

    I setup the portal, created a connection profile and a group policy for anyconnect clients. When I connect to it, it installs CSD successfully. CSD opens up and the browser windows opens to my firewall to download and install anyconnect client. Automatic installation fails and it doesn't find Java installed. When I download and save the installation package to the desktop, the setup fails without giving any meaningful error. The only way for me to install anyconnect client is to disable CSD and use Cache cleaner.

    Problem one: I can't install anyconnect client from the inside of CSD or when CSD is enabled on the firewall.

    Problem two: When I click on the login portal button in CSD, anyconnect client comes up and fails to connect giving me this error message: The VPN connection failed due to unsuccessful domain name resolution. I have it connecting the IP address and not a DNS name.

    But if I do the following, it works:
    1. Start anyconnect client. It connects and opens up secure desktop.
    2. In the secure desktop, it tries to connect and fails.
    3. I open up an internet browser and go to the firewalls IP address from inside the secure desktop. It starts/checks secure desktop and then goes onto another screen for anyconnect client installation. Installation fails but it gives me an option login in the portal.
    4. In portal, I go to anyconnect tab and select Start anyconnect.
    5. The VPN connects successfully.
    6. I logout from the portal and stay connected through anyconnect client.
    If I disconnect using anyconnect client and try to connect again in the same CSD instance, I get the same error message: The VPN connection failed due to unsuccessful domain name resolution. So to connect again, I need to bring up the portal and repeat the steps above.

    At this point, I am not really sure what to look at so if anybody can give some pointers, it would be much appreciated.
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, Net+, Server+, Sec+, CCNA,CCDA,CCNA:SEC,CCNP,CCDP, MCSE/MCSA,MCITP,MCTS,MCSA 2012, ASA Firewall Specialist, CCIE# 47245
    #2
    is this on an ASA or a ISR router?
    sometimes setting on the browser can give you problems installing the anyconnect client... have you try to run as administrator?
    also you can try a different browser firefox or safari
    Reply With Quote Quote  

  4. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #3
    This is ASA 5510. I added the firewall to the trusted sites. I ran under admin account and used IE and Firefox.
    Reply With Quote Quote  

  5. Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, Net+, Server+, Sec+, CCNA,CCDA,CCNA:SEC,CCNP,CCDP, MCSE/MCSA,MCITP,MCTS,MCSA 2012, ASA Firewall Specialist, CCIE# 47245
    #4
    Quote Originally Posted by Kreken View Post
    This is ASA 5510. I added the firewall to the trusted sites. I ran under admin account and used IE and Firefox.
    check the activex settings filtering or just the activex settings in general make sure they are at least to prompt for activex. if the installation of the client doesnt work usually java client wouldnt work either. Try another computer or a different version of anyconnect.
    but usually is the computer settings that for some reason the installation is not just happening
    Reply With Quote Quote  

  6. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #5
    Thank you for post. I checked ActiveX settings and they look ok to me. I don't really think the problem is with ActiveX because when at the prelogin policy I change the option "Install to wipe session data" from Secure Desktop to Cache Cleaner, the installation finishes successfully.
    Reply With Quote Quote  

  7. Member
    Join Date
    Jan 2008
    Posts
    32

    Certifications
    A+, Net+, Server+, Sec+, CCNA,CCDA,CCNA:SEC,CCNP,CCDP, MCSE/MCSA,MCITP,MCTS,MCSA 2012, ASA Firewall Specialist, CCIE# 47245
    #6
    let me know if you were able to fix it... id like to see what could be causing the problem..
    Reply With Quote Quote  

  8. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #7
    Well, this is not a solution but rather an update. According to the release notes for CSD 3.6 version, it doesn't support any Win x64 environments which is a big bummer and will limit my deployment options to the point of "why bother". Link is here: Cisco.com Login Page

    On the troubleshooting note, Cisco says: "If you want to run Secure Desktop (the "Vault") on Windows XP over an AnyConnect connection, you must configure CSD to identify Windows Vista and Windows 7 operating systems in the prelogin policy and then run Cache Cleaner for those operating systems instead of Secure Desktop". I did exactly that and tested it on Win 7 and Win XP. It installs Anyconnect with Cache Cleaner on Win 7. On XP, it installs CSD and fails Anyconnect install.
    Reply With Quote Quote  

  9. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #8
    The solution is, Anyconnect 3.1 cannot be installed from CSD. Says so in the release notes.

    Edit: Another annoying thing with CSD, if you upgrade the version, your prelogin policy is wiped out. Or I don't know how to save them properly.

    2nd edit:
    Deprecation of Features: Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection, and Host Emulation Detection

    Cisco will stop developing the Secure Desktop (Vault), Cache Cleaner, Keystroke Logger Detection (KSL), and Host Emulation Detection features as November 20, 2012.

    I should really start reading release notes. ;-/
    Last edited by Kreken; 12-05-2012 at 07:32 PM.
    Reply With Quote Quote  

  10. Junior Member Registered Member
    Join Date
    Sep 2017
    Posts
    1
    #9

    Default AnyConnect \ the vpn failed due to unsuccesful domain resolution

    An agent called with this problem and I advice her to access to her C drive \ NT\ utilities \ Anyconnect folder\ and there they have a Remove and install option \ advice her to remove it and restart \ then do same step with install then restart again\ agent was able to use it again.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks