Cisco Anyconnect Secure Mobility Client 4.10

6 views
Skip to first unread message

Beatrix Gerke

unread,
Aug 3, 2024, 10:40:21 AM8/3/24
to gannmarringpsych

We're having some trouble with a Meraki AnyConnect deployment and wanted to check with the community to see if anyone else has encountered this random issue. The deployment is MX 250 running firmware 18.107.2 with authentication to DUO via SAML. On the client side, Meraki AnyConnect v4.10.05085.

This issue is fairly new, has impacted various users, we're unable to reproduce it, and it appears to have showed up after a recent MX firmware upgrade. We have an open Meraki Support case on this that's not progressing.

As for the issue, when a user attempts to establish the Meraki AnyConnect VPN connection, the AnyConnect client displays this error: "Authentication failed due to problem navigating to the single sign-on URL."

When the issue occurs, we have confirmed that Internet access is good and that the user is 100% able to navigate to the SSO URL via web browser which indicates that this isn't a DNS, connectivity, or services availability issue. While this is occurring for a specific user, others are able to establish VPN's without issue. Rebooting the client PC does not help and waiting a while and trying again does not help.

In a few instances we've attempted to upgrade a client to Cisco Secure Client AnyConnect 5.0.02075 with same error. I have also been informed that the error condition remains if you uninstall/reinstall without deleting "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client".

No, this is still an ongoing issue for us. It looks like you're running the same MX firmware version though. We've been testing AnyConnect Client v5.0.02075 but I have been reluctant to push that out until we figure what's going on with the issue on our currently deployed version v4.10.05085. Based on your situation, looks like whatever is happening here is impacting both of these versions.

I'm unable to reproduce the issue which is what Meraki Support is asking for so I'm kind of in a jam.

Our company had the same issues. Azure domain joined workstations with intune would get the SSO issue with version 5x. Same workstation would log in under the local user account. Downgraded to version 4x resolved.

For anyone that decides to further engage with support on this matter, my experience is that Cisco TAC will not help if the AnyConnect VPN is terminating to a Meraki MX appliance. Meraki Support will not help as their position (as stated in my open case) is that they do not support AnyConnect. From my Meraki case, "Unfortunately, we do not have any control over Anyconnect nor support it." To this point, there's been no level of engagement with my Meraki or Cisco team that has resulted in getting any step closer to understanding what's going on. I'd strongly suggest to anyone looking at using AnyConnect with an MX to really consider that you're doing so without support which is obviously fine until you need it.

I'll keep trying on my end and will surely post any relevant updates.

We logged into the PC as an administrator and established the VPN without any issues. We then disconnected the VPN and logged back into the PC as the standard user and were able to make a successful VPN connection without the error.

We're going to continue testing and I'll post an update with subsequent findings. If this holds true going forward, then the requirement to downgrade is resolved but I'd really like to understand what's causing this issue in the first place.

I had to add the domain user to the Power Users group and now the user is able to connect consistently without this erorr.

I would suggest to monitor this, if the work-around is no longer working, try adding the user with different permissions on the local system. In this case I know for a fact Power Users group works.

Since we last connected, I was ultimately able to open a collaborative support case between Cisco, Meraki, and DUO to hopefully get to the bottom of this. With that said, I had a call with the Cisco Support team yesterday, as a result of me informing them about the suggested work-around of adding the above-mentioned registry key.

Long story short, they concur that trying the above step, as part of our continued troubleshooting, makes sense. I have informed my team to implement this on a case-by-case basis, as the issue occurs. I will definitely report back with an update on how that goes for us.

Your prior recommendation (to log in as local admin and run VPN client) has been our go-to move (continued thanks for that!). However, this reg key, providing it works for us, would be much simpler to implement globally.

If of any value, I was supplied with link below that provide some details on the change in AnyConnect 4.10.05095 that resulted in the AnyConnect embedded browser defaulting to WebView2 runtime, providing that it's installed. The new registry key above reverts the AnyConnect browser to use the legacy embedded browser control.

_client/anyconnect/anyconnect410/release/notes/rel...

Keep getting this message when trying to re-install Cisco VPN - "anyconnect secure mobility client cannot be installed on this disk. Version 3.1.02026 of the cisco anyconnect secure mobility client is already installed." Moved and deleted and when I search I only find the download or emails with information on the subject.

Whenever you remove system modifications, they must be removed completely, and the only way to do that is to use the uninstallation tool, if any, provided by the developers, or to follow their instructions. If the software has been incompletely removed, you may have to re-download or even reinstall it in order to finish the job.

Tried again with reboots (same way I did before) and it worked loading the web based one. Talked with our VPN guru here also (has a MAC at home) and went through the process with him and he did the same thing I did. Well, it worked for him.

@phirk i have the same issue with cisco anyconnect. I actually had a 1 on 1 lab session with the xcode team during WWDC regarding this. They changed the stack from previous xcodes to a new stack called CoreDevice i belive. its mosty a network connection, so when cisco connects it 'kills' those devices and immediatly on cicsco disconnect it sees them again. Its a pain to have to disconnect to be able to debug on a device. i also submitted a feedback with as many details as possible about our cisco setup. They are looking into it, but it might not be a Apple thing. It could be Cisco Anyconnect and it also could be how its setup at your workplace. So as of right now its kinda an outstanding issue with no solution atm.

In our case it was Check Point Firewall.app that was blocking the device pairing process. Unfortunately we had to find this by a long trial and error process since there was no proper logging from Xcode (even with verbose logging enabled).

We have the same issue with Cisco Any Connect 4.10.* and Xcode Beta 4 + macOS Ventura 13.4.1 - when Cisco process connect to vpn - you can't debug on device, there is no option to connect it when. On previous xcode everything work correctly, any info about this bug? it's Apple issue or Cisco issue?

As the comment in the PKGBUILD says (you've read it, right? ;) ), Cisco does not provide public downloads for this, so you have to obtain the installer yourself either through your own Cisco account or through your company's.

This package is obsolete since cisco-anyconnect has been replaced by cisco-secure-client. The corresponding AUR package is: -secure-client, which does not require authentication from Cisco for download and can simply be installed normally.

On Archlinux I finally managed to get the "vpnagentd" service to work... But that's it... The app didn't open.
In Manjaro everything worked 100% and I even completely removed the ArchLinux application, copied the version I compiled in Manjaro and installed it on ArchLinux... It also worked 100%

Just for reference, when I tried to use the following command GDK_BACKEND=x11 cisco-anyconnect to force using x11 backend, that error disappeared. But it just pop up a black window and crash after a few seconds

While Cisco Secure Client 5 will upgrade AnyConnect 4.x in-place, this action is more of a migration than an in-place upgrade because so many of the places have changed. Names, file paths, icons, and launch agents & daemons are all different.

Obviously these new names change the path to any files contained within. The executables are also renamed, but the bundle identifiers are the same as AnyConnect 4.10. The renamed apps all have updated icons:

Speaking of the modules, many customers do not install all the modules and need to customize their installation with a choice changes xml file. The default XML is still generated with a command like installer -showChoiceChangesXML -pkg "/Volumes/Cisco Secure Client 5.0.02075/Cisco Secure Client.pkg", but the critical thing to know here is that the names of the choices are updated to reflect some branding changes.

Launch Agents and Daemons have updated labels and paths to reflect the new product name. (The labels were slightly different than shown here in the initial 5.0.00556 release but were made more consistent in 5.0.01242.)

The applications in the Installer pkg is as follows:
DART: com.cisco.secureclient.dart
ThousandEyes: com.cisco.secureclient.thousandeyes
Cisco Secure Client: com.cisco.secureclient.gui
Socket Filter looks to be the same: com.cisco.anyconnect.macos.acsock

c80f0f1006
Reply all
Reply to author
Forward
0 new messages