Failed To Download Anyconnect Vpn Profile

105 views

Skip to first unread message

Melva Simons

unread,

May 7, 2024, 6:00:50 PM5/7/24

to deomaresert

However, the modified profile is not read in. I can put garbage in the profile, or even delete the file, and AnyConnect executes as if the profile wasn't there. So, it appears to continue run with the profile that existed at installation. I need to know how to force it to read a new profile.

failed to download anyconnect vpn profile

DOWNLOAD https://t.co/fWg6p34f4G

The XSD file is NOT the correct file to do this. You need to modify the VPN profile (an XML file NOT XSD) that is installed on the PC (if you have one, or create a new profile and upload it to the ASA). The profile can be created through the VPN Profile editor. The setting you are looking for is this one. You will also need to properly fill in the other fields in the profile for what features youare using.

Do you know if you already have an XML file pushed? Even if you modify the local profile that you have the first time you connect to the headend this profile can potentially be overwritten with the one on the headend. If the profile is being pushed with the "user controlable" option set then you can change the behavior through the preferences tab on the AnyConnec GUI.

I have an open case with Tac, but they have not been very helpful. The a/c profile file is working with the clients. I need to enable "local lan" in the editor so people can print to local IP printers.

If the user cannot connect with the AnyConnect VPN Client, the issue might be related to an established Remote Desktop Protocol (RDP) session or Fast User Switching enabled on the client PC. The user can see the AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established error message error on the client PC. In order to resolve this issue, disconnect any established RDP sessions and disable Fast User Switching. This behavior is controlled by the Windows Logon Enforcement attribute in the client profile, however currently there is no setting that actually allows a user to establish a VPN connection while multiple users are logged on simultaneously on the same machine. Enhancement request CSCsx15061 was filed to address this feature.

The dartbundle files show this error message when the user gets disconnected: TUNNELPROTOCOLDPDMGR_ERROR_NO_DPD_RESPONSE:The secure gateway failed to respond to Dead Peer Detection packets. This error means that the DTLS channel was torn due to Dead Peer Detection (DPD) failure. This error is resolved if you tweak the DPD keepalives and issue these commands:

The svc keepalive and svc dpd-interval commands are replaced by the anyconnect keepalive and anyconnect dpd-interval commands respectively in ASA Version 8.4(1) and later as shown here:

A backup server list is configured in case the main server selected by the user is not reachable. This is defined in the Backup Server pane in the AnyConnect profile. Complete these steps:

While the SSL VPN is connected through a web browser, the Unable to Update the Session Management Database. error message appears, and the ASA logs show %ASA-3-211001: Memory allocation Error. The adaptive security appliance failed to allocate RAM system memory.

This error can also occur if the vpn-sessiondb max-anyconnect-premium-or-essentials-limit session-limit command is used to set the limit of VPN sessions permitted to be established. If the session-limit is set as two, then the user cannot establish more than two sessions even though the license installed supports more sessions. Set the session-limit to the number of VPN sessions required in order to avoid this error message.

Certificate authentication works differently with AnyConnect compared to the IPSec client. In order for certificate authentication to work, you must import the client certificate to your browser and change the connection profile in order to use certificate authentication. You also need to enable this command on your ASA in order to allow SSL client-certificates to be used on the outside interface:

"Contact your system administrator. The installer failed with the following error: This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package."

Hello! Actually ran across this recently, and while doing a bit of research, found this thread. I was able to resolve the issue by verifying (and correcting) the permissions on the directory that the profile is stored in. This varies by operating system, the paths for XP and 7 are:

updating the profiles doesn't seem to work for us so I'm going to update the user from Anyconnect version 3.1.x to 4.3.x. Checked all the file/folder permissions in the /opt/cisco/anyconnect/profile/ path.

I can confirm that copying a working profile (preferably the one you want to use) from a Win installation to a Linux installation helped. (Previously I tried to change owners and access rights for all the folders in /opt/cisco, but strangely enough, none of that worked...)

We have setup AnyConnect MFA with Azure (using NPS extension). It is working fine with the test connection profile. But it failed on Prod Connection profile. Both using same LDAP user groups. NPS servers and policies are identical. User receives text code on mobile but does not get authenticated. Weirdly, user can complete authentication with Microsoft authenticator Application. Is there anything missing on Prod Connection profile or Group policies or Azure?

Thank you for your response. it is working fine on the test connection profile. We are using same NPS server and ldap user group for both. Unfortunately, I cant debug because its in Production. I am keen to get root cause what could be wrong with Production connection profile?

We've been using the AnyConnect client to connect VPN users to our MX84, and it works fine without any issues when just manually copy/pasting the ddns name for the VPN, but we have multiple sites, and are starting to get a few users that connect to multiple sites, so looking to add a profile that will list all of the available servers to connect to.

I used the VPN profile editor to create a profile, added our servers to the server list, and saved the "profile.xml" file to the "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" folder on the workstation, but no matter what I do, nothing shows up in the AnyConnect GUI dropdown. I have rebooted and that didnt help either.

I guess the server provides some default profile settings on each connect.Is it possible to replicate it like a file-based profile configuration which works exactly the same way as the one received from the server?

If profile has UserGroup (i.e., tunnel group) entry for a host entry, AnyConnect client behaves differently. Meaning, profile mandates user explicitly connecting to the UserGroup for that host entry. In such scenario, VPN server (i.e., ASA) will not present other tunnel groups available on the ASA. User strictly has to pass authentication (username/password or certificate) configured for that tunnel group on ASA.

This is not a System Extension, it's a Background Service. You need to force enable the Background Service, or Managed Login Item as it's called in MDM. Below is an example of a configuration profile that would enable this toggle for an application called Cyber-Ark EPM. The general principle is the same for any Background Service approval.

I have this working on 2 test Macs and on my production Mac, using the above config profile that @hhorn posted. However for 2 of my test users that I've deployed the same config profile to and the same version of AnyConnect (5.1.1.42), but they are still getting "no connection... Reattach failed"

What could be going wrong on my test users?

AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer. A VPN connection will not be established. AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

The client (Vista64) is behind a firewall and can connect outside only via HTTP proxy. Wireshark shows that the authentication and initial setup correctly uses the system wide proxy, however, profile update does a direct tcp connection and of course - fails.

Hi, We upgraded our AnyConnect image to (anyconnect-win-4.9.01095-webdeploy-k9.pkg) version now we are receiving the Cryptographic algorithms required by the secure gateway do not match those supported by AnyConnect error. Can...

When you are configuring the profile in IKEv2
and you are declaring the aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK You must FOLLOW this up with the KEv2 Authorization Policy!!

2.The Default proposal must be disabled in order to utilise the manually configured proposal
This subsequent issue we run into is a direct consequence of the above configuration.
Now that we have declared a policy that will be linked with a manually configured proposal, we must disable the default policy. Otherwise the config will still prioritise the default policy, this will result in the default proposal being utilised.
When you have configured a custom IKEv2 Proposal and Policy you can and should disable the defaults.
no crypto ikev2 proposal default
or
no crypto ikev2 policy default
Because the default policy was being utilised, this was initiating the default proposal. This resulted in IKEv2 using depreciated cryptography, integrity and Diffie-Hellman group in the IKEv2_INIT part of the negation. Consequently only anyconnect

582128177f

Reply all

Reply to author

Forward

0 new messages