VPN client troubleshooting

The following section lists common issues with Cisco AnyConnect VPN client and how to fix them. In case the issue you are experiencing is not described here, please collect the necessary data for troubleshooting using the following guide here.


Cisco AnyConnect - known issues

The following listing constitutes the discovered issues following the Cisco AnyConnect VPN client deployment, see below:


Certificate Validation Failure
Certificate Enrollment Failure
Certificate Enrollment stuck at "Request forwarded
Linux - vpnagentd service
Linux - GUI not working in some versions of Ubuntu
Linux - Usefull logs in syslog file
Linux - Usefull details in CLI cleint version vs GUI
Linux - OpenConnect usage
Clients installations problem at Windows XP
Clients lower then 4.5.x - Access denied



Certificate Validation Failure

The "Certificate Validation Failure" error occurs when an obsolete XML profile is deployed on the connecting client. To remove this error, manually erase the XML profile from the computer and restart the Cisco AnyConnect VPN client. The location of the XML profile varies on the operating system, see below:

Operating system Profile location
 
Windows XP %ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Windows 7 %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Windows Vista %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Linux /opt/cisco/anyconnect/profile
 
The new XML profile will be downloaded upon the next successfull authentication through the VPN.



Certificate Enrollment Failure



The "Certificate enrollment failed." error occurs when the Cisco AnyConnect Client fails to enroll for a certificate on behalf of the user.
If you get this error, please contact DPDHL IT Services through your local DPDHL contact providing your username.



Certificate Enrollment stuck at "Request forwarded"



If the Cisco AnyConnect Client is stuck at the step shown above for a few minutes without any progress, it means that the client is unable to obtain and download the certificate.
If you get this error, first close AnyConnect client and start it again (right-click on the AnyConnect icon in the taskbar and click :Quit".



After restarting AnyConnect, if the same problem presist, please contact DPDHL IT Services through your local DPDHL contact providing your username.



Collecting troubleshooting data

The Cisco AnyConnect VPN client comes with a DART module (Diagnostics and Reporting Tool) used to collect client and system data when resolving connection issues. To access DART interface, click on the highlighted icon in the Cisco AnyConnect connection window, see below:









The DART packs the collected data into a .ZIP archive and stores it at the user's desktop.








Linux - vpnagentd service

In case of problems with vpnagentd service (service is marked as down or hangs), is usually not enough just to start it, but due some dependeces to stop it first. So even it looks not running, stop it first, then start and then check status.

Symptoms of this issue are, that VPN client can't fully start in CLI or GUI (it hangs) - see Step 6 in Linux installation guide. This was seen at Ubuntu 16.04 LTS, usually after certificate was imported.





Linux - GUI not working in some versions of Ubuntu

GUI client works well at Ubuntu 16.04, but not at Ubuntu 18.04.1; for Ubuntu 18.04.1, use only CLI part of client.





Linux - usefull logs in syslog file

Syslog log file is good source to observe, what is happening behind ...





Linux - usefull details in CLI client version vs GUI

Note, that in GUI version of client is no information messages like can be seen at screen during operating CLI version of client, so if you need get more info, use CLI version and syslog file to observe what is going on...






Linux - OpenConnect usage

According our testing, it is not possible to use OpenConnect VPN client.

Tested was OpenConnect 7.06-2build2 on Ubuntu 16.04. It looks, that OpenClient is not capable to utilise our key feature - Autoenrolment of certificate. It seems, that only way, how to add user certificate into client, is manual import of .cer and .key (cert + key) files. In this case You are not able to obtain certificate automatically, how DHL VPN service is configured now.





Clients installations problem at Windows XP

Unfortunately Cisco does not support Windows XP and similar obsolete Win"X" systems anymore.

Users with Windows XP needs to upgrade to Windows 7/8/10.

Supported OS are mentined in table below:

Operating system Version
Windows

Windows 10, 10 RS1, RS2, and RS3 x86(32-bit) and x64(64-bit)

Windows 8.1 x86(32-bit) and x64(64-bit)

Windows 8 x86(32-bit) and x64(64-bit)

Windows 7 SP1 x86(32-bit) and x64(64-bit)

Linux

Red Hat 6 and 7 (64-bit)

Ubuntu 14.04 (LTS) and 16.04 (LTS) (all 64-bit)

macOS

macOS 10.11, 10.12, and 10.13





Clients lower then 4.5.x - Access denied

From January 2019 DPDHL is not supporting to establish VPN tunnel (connect to DHL network) with old, obsolete and unsupported Cisco AnyConnect clients with versions lower then 4.5.x.

In case, that lower version then 4.5.x of of AnyConnect client is used, VPN session is not possible to establish and client is infomed about reason with message when VPN session is terminated:

Graphical example of error message you can find below.

Only solution is to upgrade AnyConnect client version at least 4.5.x. Preferred supported version is available at download page.