TL;DR If Cisco AnyConnect is disconnecting, reconnecting every few minutes, try blocking UDP in/out ports for the vpnagent executable/service.
- Cisco Anyconnect Unable To Connect
- Anyconnect Secure Gateway Error
- Cisco Anyconnect Was Not Able To Establish
.to the specified secure gateway. I used my Windows 10 VM and that connected fine, only my MacBook could not connect, this VPN tunnel is a big deal I. Please choose another gateway and try again. Function: ConnectIfc::connect File: ConnectIfc.cpp Line: 661 Non-Cisco gateway detected. The first connection when the AC profile is not present on the client succeeds without any issues.
Cisco AnyConnect Secure Mobility Client version 4.7.04056
This one drove me nuts for the longest time until I found time to dedicate to troubleshooting it myself. Symptoms were that my AnyConnect client had been disconnecting, reconnecting every few minutes (2:50 to be exact!), which would, in turn, timeout my RDP session. Total reconnect time was only a few seconds, but you can imagine how having your concentration broken every three minutes is a productivity killer!
I had troubleshot this with my ISP, Comcast/Xfinity and my customer (whose site I was connecting to via VPN). Both essentially were pointing fingers at each other. It would be easy to blame the ISP because the problem didn't happen over my hotspot, but I can't help but think that the VPN server wasn't configured to properly handle such situations. Anyway, I decided to live with it (for far too long) until I could do some troubleshooting myself and figure out next steps.
Hp airprint for mac. 12:58:50 PM AnyConnect was not able to establish a connection to the specified secure gateway. 12:58:54 PM Ready to connect. The Connect Failure Policy will not be applied because the Secure Gateway could not be found in the profile. Description AnyConnect could not apply the Always-on VPN connect failure policy specified by the ConnectFailurePolicy profile setting, despite the connection failure. In our case, ASA is not configured to locate AnyConnect image in the flash. ASA# sh run webvpn webvpn enable outside anyconnect enable tunnel-group-list enable error-recovery disable. ASA(config)# webvpn ASA(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.2.05015-k9.pkg.
Cisco Anyconnect Unable To Connect
Anyconnect Secure Gateway Error
My troubleshooting steps are below, in case anyone is interested.
Cisco Anyconnect Was Not Able To Establish
Wireshark | Wireshark VPN test-2019-12-09-A.pcapng Wireshark VPN test-2019-12-09-G-Comcast.pcapng Wireshark VPN test-2019-12-09-F-Hotspot.pcapng Wireshark VPN test-2019-12-09-E-Comcast-Reconnect at 129 sec.pcapng Wireshark VPN test-2019-12-09-D-Hotspot.pcapng Wireshark VPN test-2019-12-09-C-Comcast-Reconnect at 91 sec.pcapng Wireshark VPN test-2019-12-09-B.pcapng | Thunderbird exchange owa. Noticed that most application traffic happens via DTLS (OpenSSL) over UDP, but every 20 seconds, there's a TLSv1.2 transmission from the client [PSH, ACK], but no response from the server.Client retransmits the [PSH, ACK] in intervals of 0.3, 0.6, 1.2, 2.4, 4.8, 9.6 seconds, and then sends a RST. |
Google search | cisco vpn client tls every 20 seconds no ack | |
Article above references this, which was the most helpful | As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect). | |
Block UDP (in & out) for VPN client in Windows Firewall | C:Program Files (x86)CiscoCisco AnyConnect Secure Mobility Clientvpnagent.exe |