Windows 8 - AnyConnect error - Failed to initialize connection subsystem. [SOLVED]

We had a problem with the AnyConnect client v3.1.05187 on Windows 8. We got the error message - “Failed to initialize connection subsystem”. We solved it using the following procedure:

• Install all windows updates on Windows 8.
• Reboot the PC.
• Update AnyConnect client to the latest version using anyconnect-win-3.1.07021-pre-deploy-k9.msi file.
• Reboot the PC - This is important.

Enjoy!

Cisco ASA - AnyConnect VPN server - Initial configuration. [TESTED]

Test device is ASA 5510 with 9.1.(5).

CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 > Configuring AnyConnect VPN Client Connections.

License

ASA# show version | i ^AnyConnect
AnyConnect Premium Peers          : 250            perpetual
AnyConnect Essentials             : 250            perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
ASA#

It means that we can use either type of licenses (Premium or Essentials). Note: that Clientless SSL VPN (WebVPN) feature is required Prime license type. Here you can find a little bit more.

Basic setup

ASA# conf t

! Enable HTTP to HTTPS redirection (Optional):

ASA(config)# http redirect outside 80

! Enable WebVPN on outside interface:

ASA(config)# webvpn
ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# end
ASA#

! Verify:

ASA)# sh run webvpn
webvpn
 enable outside
 anyconnect-essentials
ASA#

After that you can try to login using locally configured user/pass:

conf t
 username USER password PASS privilege 0

If you enter correct login/pass you get “Clientless (browser) SSL VPN access is not allowed.” error. This is OK because you didn’t enabled “anyconnect” yet. Let’s do this, but before it we can upload and configure anyconnect package files:

webvpn
 anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg
 anyconnect enable

Now you can successfully login in to WebGUI. Normally you will see “AnyConnect Secure Mobility Client” window which will try to identify whether AnyConnect client is installed on your PC and etc…

But what happened if you install VPN Client and try to get access? Let’s see syslog messages

~
%ASA-6-113012: AAA user authentication Successful : local database : user = USER
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = USER
%ASA-6-113008: AAA transaction status ACCEPT : user = USER
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.username = USER
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.username1 = USER
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.username2 =
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
%ASA-6-734001: DAP: User USER, Addr 172.16.1.2, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-6-725007: SSL session with client outside:172.16.1.2/52235 terminated.

As you can see, user/pass sequence is correct, but it’s not gonna work. VPN client says no just “Login failed.”, but more interesting message “Login denied, unauthorized connection mechanism, contact your administrator.“. As you can see, syslog messages have not much…

To solve this issue you have to create group-policy (or modify default one DfltGrpPolicy), associate this group with default tunnel-group DefaultWEBVPNGroup. Let’s create a new one group policy and related instances like ip pool:

ip local pool POOL_VPN 10.1.110.1-10.1.110.254 mask 255.255.255.0

group-policy GP_VPN internal
group-policy GP_VPN attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ssl-client
 default-domain value example.com
 address-pools value POOL_VPN
 exit

tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GP_VPN
 exit

When it’s done login via preinstalled client will be successful, you will get IP address from predefined pool, NO split-tunnel (all traffic goes to VPN), remote destination must have a route to POOL_VPN address space because from ASA you traffic is coming out with original IP address (POOL_VPN). If destination peer knows that POOL_VPN address space is available via internal IP of ASA - it will work. The second variant is to play with NAT (out of scope of this little note).

To enable split-tunnel:

conf t

access-list ACL_VPN_ROUTES standard permit 10.1.1.0 255.255.255.0
access-list ACL_VPN_ROUTES standard permit 10.1.2.0 255.255.255.0
access-list ACL_VPN_ROUTES standard permit 10.1.3.0 255.255.255.0
access-list ACL_VPN_ROUTES standard permit 10.1.4.0 255.255.255.0

group-policy GP_VPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_VPN_ROUTES
 exit

Setup “Windows Server 2012 R2” as Domain Controller and RADIUS server

Windows Server 2012: Set Up your First Domain Controller (step-by-step).
ASA VPN User Authentication against Windows 2008 NPS Server (Active Directory) with RADIUS Configuration Example.

Adding NPS role/feature and its configuration is pretty simple, but there’s one very important thing - “Unencryption authentication (PAP, SPAP)” MUST be enabled in NPS policy settings.

Apply RADIUS servers

Add RADIUS servers:

aaa-server RADIUS-VPN protocol radius
 exit
aaa-server RADIUS-VPN (inside) host 10.1.1.5
 key SECRET_KEY
 exit
aaa-server RADIUS-VPN (inside) host 10.1.1.6
 key SECRET_KEY
 exit

Test them:

ASA# ping inside 10.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA#
ASA# ping inside 10.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA#
ASA# test aaa-server authentication RADIUS-VPN host 10.1.1.5 username USERNAME
Password: **********
INFO: Attempting Authentication test to IP address <10.1.1.5> (timeout: 12 seconds)
INFO: Authentication Successful
ASA#
ASA#
ASA# test aaa-server authentication RADIUS-VPN host 10.1.1.6 username USERNAME
Password: **********
INFO: Attempting Authentication test to IP address <10.1.1.6> (timeout: 12 seconds)
INFO: Authentication Successful
ASA#

Apply RADIUS server to the default tunnel-group DefaultWEBVPNGroup:

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RADIUS-VPN

Complete setup in proper sequence

...TODO...

• Upload anyconnect .pkg images.

! Apply images. It takes time, CLI will hangup for a while.

webvpn
 anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-3.1.06079-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.06079-k9.pkg 3
 exit

! Enable anyconnect service.

webvpn
 anyconnect enable
 exit

! Enable webvpn service.

webvpn
 enable outside
 exit

! Enable HTTP-to-HTTPS redirection.

http redirect outside 80

Cisco ASA - HTTP to HTTPS redirection.

You can use “HTTP to HTTPS redirection” for WebVPN, ASDM, etc. Please take a look at command reference for “http redirect” command.

ASA# conf t
ASA(config)# http redirect outside 80
ASA(config)# end
ASA# sh run http
http server enable
http redirect outside 80
ASA#

BTW, if you have HTTP server disabled (for example, you do not use ASDM), it’s fine because “http server enable” is NOT required for http redirection feature.

Cisco ASA - Clientless SSL VPN (WebVPN) and anyconnect-essentials.

During applying new license on ASA you get the following warning:

**********************************************************************
WARNING: AnyConnect Essentials license active. Basic VPN support is
in effect. For specific details, please refer to Cisco AnyConnect VPN
Client Administrator Guide.
**********************************************************************

If you apply license with anyconnect-essentials enabled, ASA will turn it on automatically. That means if you have SSL VPN (WebVPN) configured on your production VPN server, after applying new license SSL VPN users will get “Clientless (browser) SSL VPN access is not allowed.” error.

%ASA-6-734001: DAP: User user, Addr ipaddr, Connection connection: The following DAP records were selected for this connection: DAP record names
 %ASA-4-722049: Group group User user IP ip Session terminated: SVC not enabled or invalid image on the ASA.

Note, that 722049 is an error and ASDM marks this message as amber. BTW, the list of all available syslog messages can be found here.

To restore functionality:

conf t
 webvpn
  no anyconnect-essentials

Some general info from CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 > Clientless SSL VPN Overview:

• The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.

• Note: With the AnyConnect Essentials license, VPN users can use a Web browser to log in, and download and start (WebLaunch) the AnyConnect client.

• The AnyConnect client software offers the same set of client features, whether it is enabled by this license or an AnyConnect Premium SSL VPN Edition license.

• The AnyConnect Essentials license cannot be active at the same time as the following licenses on a given ASA: AnyConnect Premium license (all types) or the Advanced Endpoint Assessment license. You can, however, run AnyConnect Essentials and AnyConnect Premium licenses on different ASAs in the same network.

• By default, the ASA uses the AnyConnect Essentials license, but you can disable it to use other licenses by using the no anyconnect-essentials command.

Admin area