Troubleshooting AnyConnect VPN Client Troubleshooting Guide - Common Problems

Steps to troubleshoot:

• Get the device log file:
  • Windows XP/2000: \Windows\setupapi.log
  • Windows Vista: \Windows\Inf\setupapi.app.log & setupapi.dev.log
• Obtain the MSI installer log file:
  • Windows XP/2000: \Documents and Settings\<username>\Local Settings\Temp\
  • Windows Vista: \Users\<username>\AppData\Local\Temp\
• Check PC system information:
  • Windows XP/2000: winmsd /nfo c:\msinfo.nfo
  • Windows Vista: msinfo32 /nfo c:\msinfo.nfo
  • If the driver database is corrupt, refer to AnyConnect: Corrupt Driver Database Issue.

Troubleshooting Steps:

• Get the ASA configuration file:
  • write net x.x.x.x:ASA-Config.txt (where x.x.x.x is the TFTP server IP)
  • Alternatively, use show running-config and save it.
• Enable logging on ASA:

config terminal
logging enable
logging timestamp
logging class auth console debugging
logging class webvpn console debugging
logging class ssl console debugging
logging class svc console debugging

• Reproduce the issue and save logs.
• Disable logging: no logging enable.
• Check AnyConnect logs in Windows Event Viewer:
  • Run: eventvwr.msc /s
  • Save logs as AnyConnect.evt

• Multiple user sessions logged in? Disconnect Remote Desktop (RDP) sessions and disable Fast User Switching.
• Blocked port 443? Ensure it is open.
• Version incompatibility? Update the AnyConnect client to match the ASA software.
• Error: 'User not authorized for AnyConnect Client access'
  • Upload the missing AnyConnect image to ASA.
  • Disable Datagram Transport Layer Security (DTLS):
    • In ASDM: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles
    • Uncheck Enable DTLS

Fixes:

• Check VPN session details:

show vpn-sessiondb detail svc filter name <username>

• If Filter Name: XXXXX appears, check access lists:

show access-list XXXXX

• Check NAT settings:

access-list in_nat0_out extended permit ip any 10.136.246.0 255.255.255.0
ip local pool IPPool1 10.136.246.1-10.136.246.254 mask 255.252.0.0
nat (inside) 0 access-list in_nat0_out

• Exempt AnyConnect traffic from inspection policy:

ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect skinny

Steps to resolve:

• Enable Dr. Watson for crash logs:
  • Run: Drwtsn32.exe and configure:
    • Crash Dump Type: Mini
    • Dump Symbol Table, Dump All Thread Contexts, Append to Log: Checked
• Gather logs from: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson
• Export AnyConnect event logs from Windows Event Viewer.

Symptom:

Applications like Outlook fail while small pings work.

Solution:

• Test ping sizes:

ping -l 500
ping -l 1000
ping -l 1500

• Set MTU for users experiencing fragmentation:

ASA(config)# group-policy <name> attributes
webvpn
svc mtu 1200

Cause:

AnyConnect Essentials license is not supported in ASA version 8.0.4.

Fix:

Upgrade ASA to version 8.2.2+ or adjust session limits:

ASA(config)# vpn-sessiondb max-anyconnect-premium-or-essentials-limit <desired-limit>

Fix:

Enable AnyConnect on the ASA's outside interface via ASDM.

Error: 'The secure gateway has rejected the connection'

Cause:

The ASA IP pool is exhausted or misconfigured.

Solution:

• Check pool configuration:

Router# show run | in pool
ip local pool SSLPOOL 192.168.30.2 192.168.30.254
svc address-pool SSLPOOL

• If missing, add the pool again.

Fix:

• Manually allow the VPN Agent service to interact with the desktop:
  • My Computer > Manage > Services > Cisco AnyConnect VPN Agent
  • Properties > Log On > Allow service to interact with desktop
• If Routing and Remote Access Service (RRAS) is enabled, disable it before starting AnyConnect.

Error: 'Certificate Validation Failure'

Solution:

• Import the client certificate to your browser.
• Enable SSL client certificate authentication on ASA:

ssl certificate-authentication interface outside port 443