Troubleshooting SSLVPN

When installing and using the Cisco AnyConnect SSLVPN (Secure Sockets Layer Virtual Private Network) client problems may occur. This document will help diagnose and solve some potential issues that may be encountered. Use the links below to jump to a topic or scroll down to read all of the topics.

  1. Installing the SSLVPN Client
  2. Launching the SSLVPN Client
  3. Terminal Services
  4. Firewall Exceptions
  5. Authentication Failures
  6. Certificate Errors
  7. Error “The VPN client driver has encountered an error”
  8. Error “Connection attempt has failed due to unresolvable host entry”
  9. Is there an SSL VPN client for MacOS Snow Leopard?

Installing the SSLVPN Client

AnyConnect is a straightforward installation. To install the client, go to http://sslvpn.asu.edu. After you've provided your credentials, the installation will start immediately. On Windows machines, the web installation will first attempt to install the AnyConnect client through ActiveX. The following screen will appear if ActiveX is the method of installation:


 
If that fails, or if the machine is using OS X or Linux, the web installation will try to install through java. The person who is installing the client will be prompted to allow the installation of the software through either java or ActiveX.  If neither java or ActiveX are available, then a link to the installation file for each respective operating system will appear.


Launching the SSLVPN Client

After the web installation completes, the client will be automatically connected. Once the client is either closed or disconnected, there are two methods to re-establish the session.


Method One: Connect via Browser
Connect via browser using the same process as before. After signing into the page at http://sslvpn.asu.edu, the AnyConnect client will already be detected.  You will be prompted that the VPN client is already installed and connected.  


 
Upon clicking “OK” the session will be initiated.


Method Two: Launch Application Directly
If you are running windows, the Cisco client can be accessed by clicking the Start button, going to “All Programs”, locating the “Cisco” folder, going to the folder “Cisco AnyConnect VPN Client” and selecting the Cisco AnyConnect VPN Client.


 
 A shortcut icon can be placed upon the desktop by right clicking on the Cisco AnyConnect VPN Client.



When launching the application this way for the first time, you will see the following GUI interface:



 
You will need to enter the server name "sslvpn.asu.edu". Afterwards, press “connect” and it will verify the server exists before it prompts for credentials. Credentials are the user’s ASURITE and password.

When the client is actively running, you will see the AnyConnect  icon on the lower right hand corner of the monitor.


Terminal Services/Remote Desktop Protocol

Remote Connections to either workstations or servers on the ASU Network requires SSL VPN for connections.  For security, Windows XP workstations are not able to make a second SSL VPN secure connection to another system.  Examples are Sybase, Advantage, etc.  Workstations running Windows Vista or Windows 7 are able to manage this without a problem.


Firewall Exceptions

AnyConnect assigns an ASU IP address within the 172.31 range. This means that firewall rules outside of this range will block incoming connections from a remote user connected through AnyConnect. This can be fixed by adding the IP range 172.31.16.10 – 172.31.31.254 the firewall exception scope.


Authentication Failures

If you cannot authenticate in order to use the SSLVPN client, they may not have subscribed to the Border VPN access service. This can be verified at http://asu.edu/selfsub.

If you receive the error "IP Forwarding error" while attempting to connect, then two different steps can be taken to resolve the issue.

  • This is most often caused by a conflict with an optional driver installed by some Adobe products. Uninstall the Bonjour application using Add/Remove Programs, or disable to Bonjour service.
  • Upgrade the version of Cisco Anyconnect to version 2.2 or higher. A version that works with Bonjour is available at http://sslvpn.asu.edu.


Certificate Errors

Some users may receive an untrusted certification dialog box when connecting to sslvpn.asu.edu with the AnyConnect client. This dialog box can appear both before and after entering credentials to connect to SSLVPN. It looks similar to the image below.


 
This is caused by a configuration issue with the AnyConnect profile. To fix this issue, first close AnyConnect. Then delete the files named ASUProfile.xml and ASUProfile2.xml located in the following directory:
Windows XP: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile
Windows Vista: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile

 

Afterwards, go to https://sslvpn.asu.edu and log in. Once you are automatically connected, the ASUProfile.xml file will be recreated with the correct settings.


Error “The VPN client driver has encountered an error”

Complete these steps in order to resolve the problem:

  1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
  2. Run net stop CryptSvc.
  3. Run esentutl /p %systemroot%\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.
  4. When prompted, choose OK to attempt the repair.
  5. Exit the command prompt.
  6. Reboot.


If the repair fails, complete these steps:

  1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista).
  2. Run net stop CryptSvc.
  3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory.
  4. Exit the command prompt.
  5. Reboot.Error “The VPN client driver has encountered an error”


Error “Connection attempt has failed due to unresolvable host entry”

This issue can most commonly be resolved by connecting to “sslvpn.asu.edu” instead of “sslvpn”. This error may occur as the result of an older configuration file from Cisco AnyConnect. If connecting to “sslvpn.asu.edu” yields the same error then an external issue such as a firewall or misconfigured DNS is preventing access.


Is there an SSL VPN client for MacOS Snow Leopard? 

The latest Macintosh operating system Snow Leopard client is available on the My Apps (myapps.asu.edu) software site.  The client will be added to the SSL VPN for automatic installation by Oct. 7th.
 

 

Updated: 10/16/09 Topic: