Cisco 4.10
Jennifer Downey
After an upgrade from AnyConnect 4.10.06079 to 4.10.07061 we have this error on our clients "The VPN connection was terminated due to loss of the network interface. A new connection is necessary, which requires re-authentication."
We use Gina to log in the VPN before we use the Windows login. The first VPN login sucess and after the login in windows, AnyConnect destroy the VPN-Tunnel with the Error-Message "The VPN connection was terminated due to loss of the network interface. A new connection is necessary, which requires re-authentication."
We have opened a ticket and are waiting for a solution. The new 7062 version has the same error. The error seems to be in the NAM component and in the proxy settings. The Cisco NAM team is working with us to troubleshoot.
We are experiencing the same issue on 07061 and 07062. A wired connection does not retain the SBL-initiated VPN connection after logging in to Windows. The issue does not occur when the device is connected via wireless.
Have you opened a TAC yet? I was going to, but it appears I need to go to a different group on our end as I do not have entitlement to AnyConnect, but if somebody else has already opened a TAC I may not want to put myself through that internal struggle.
Unfortunately I didn't get to it until late this afternoon. Your summing up is exactly what happens here too. Today I found out that using a wired connection also works (does not trigger the issue) if WiFi is disabled in Windows (Windows 10 in our case). So having both active/connected at start-up triggers the issue. WiFi only: no issue. Ethernet only+WiFi disabled: no issue.
Today I also tried 07062 (unfortunately I read your message after) and can confirm the issue is there too. This was what I expected since only a NAM issue was fixed compared to 07061 but of course I wanted to test the latest 4.10 release and rule this out.
Yes, very busy so I forgot to update here. The issue was fixed for us. It is a bug on the MR7 anyconnect image, see link below. The bug describes a different error than our users saw but there were syslog messages indicating the same issue.
Thanks for that. Though it is a bummer. We do not manage the concentrator, we are the only (relatively) small group using SBL and presumably the only group experiencing this issue since we can only reproduce it with SBL. None of the other groups use SBL, so I only presume they don't experience the issue.
So unfortunately, it sounds like we will have to deal with it unless Cisco ever remediates the issue from the client software; but from that bug article, it sounds like they won't be doing that any time soon.
With CSCwf67833 I see that 54 support cases are already registered there.
Apparently there are also other customers who need the proxy settings and cannot simply switch them off.
Cisco should be aware that this is an urgent issue, act quickly and fix the problem.
To explain, why version 5 was suggested:
We urgently need an update because of this: Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability
This is fixed in 4.10.07061 and 5.0.02075.
Version 4 has the proxy bug, with version 5 we would have to invest much work to change our installation and cli scripts.
The support contract should be consistent with the license you have for AnyConnect. There are three types currently: Plus, Apex and VPN-only. Plus is by far the most common as it maps to the old Essentials license type. Apex is the next most common with VPN Only being a distant third place. Plus and Apex are term licenses that include support (which includes download entitlement). VPN Only is a permanent license that requires a separate support SKU. The entry level SKU is the one you mentioned. It is for 25 users.
Note customers typically purchase the support SKU along with the software license - it may be that your cisco.com account was not associated properly if that was the case in your situation. And, as I noted, if the original purchase was for one of the much more common term licenses then it is just a matter of getting the contract association fixed for your account.
Two days ago, after several months of trouble-free operation, my AnyConnect installation refused to connect to the corporate VPN from my home network unless I first connected through a network other than my home network, such as Starbucks WiFi. After connecting through Starbucks, I could connect once and only once through my home network. If I disconnect, I cannot connect again through the home network unless I first connect through a different network.
The symptom is that the Mobility Client dialog hangs with a 'Please complete the authentication process in the AnyConnect Login Window." message.
It appears that the reason for the hang is that after the Single Sign-on authentication is entered, cscan.exe crashes with an access violation in libwalocal.dll.
issue resolved after uninstalling the router update.
some users were able to connect using their mobile hotspot and then change to home wifi. issue was intermittent and definately it was related to last router update
We have also run into this exact issue. It started occurring since AnyConnect/HostScan version 4.10.05085 and up, with both Windows 10 and 11, and it is intermittent. I saw this fix about about a RestoreConnection registry entry from the link below, so it may be worth trying.
Thanks so much for the prompt response! I was informed there are a small number of people running into this problem. I think I am chasing a red herring at the moment because I noticed symantec AV scan and the cscan.exe application crash happening at the same time on one users system. Also did you notice if Macs were having an issue with this or only Windows?
I believe the problem stemmed from the server hostscan and was unrelated to the client applications. Neither updating the AnyConnect client multiple times nor tweaking Registry entries resolved the crashes.
The AnyConnect client software crashed on this error, indicating a defect, but whether Cisco intends to fix the defect I don't know.
Be aware, though, that this error was significant enough that our IS group pushed Cisco to determine the problem and effect a workaround. The back and forth continued for weeks or even months.
Thanks again for the feedback. I will be playing the same game with TAC. I can't believe more people haven't reported this issue its very intermittent but widespread. Our sysadmin teams have also gone through the uninstall/reinstall AnyConnect, OS rebuild, deleting the hostscan files, certs and etc...the usual stuff on the local user systems. We have had to downgrade in the past I truly hope that isn't the only answer at this point.
No, the RestoreConnect did not fix the issue. We opened a case with TAC, and the workaround was to downgrade the HostScan to version 4.10.03104 (not necessary to downgrade the AnyConnect clients on the users' computers or the webdeploy packages on the ASA).
A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.
This vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.
Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.
Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: -cisco-worldwide-contacts.html
c80f0f1006