Windows 8 - AnyConnect error - Failed to initialize connection subsystem. [SOLVED]

We had a problem with the AnyConnect client v3.1.05187 on Windows 8. We got the error message - “Failed to initialize connection subsystem”. We solved it using the following procedure:

• Install all windows updates on Windows 8.
• Reboot the PC.
• Update AnyConnect client to the latest version using anyconnect-win-3.1.07021-pre-deploy-k9.msi file.
• Reboot the PC - This is important.

Enjoy!

Cisco ASA v8.3- LAN-to-LAN IPsec VPN. [TESTED]

We’re gonna use Symmetric Cipher - on both ends the same cypher key will be configured (pre-shared).

http://en.wikibooks.org/wiki/Cryptography/Symmetric_Ciphers:

A symmetric key cipher (also called a secret-key cipher, or a one-key cipher, or a private-key cipher, or a shared-key cipher) is one that uses the same (necessarily secret) key to encrypt messages as it does to decrypt messages.

Until the invention of asymmetric key cryptography (commonly termed “public key / private key” crypto) in the 1970s, all ciphers were symmetric. Each party to the communication needed a key to encrypt a messages; and a recipient needed a copy of the same key to decrypt the message.

Documentation/Tips

conf t
 vpnsetup site-to-site steps

Step by Step

• We need to create tunnel-group and associate it with group-policy allowed IKEv1. So, the 1st step is to create group-policy to be able to specify it under tunnel-group configuration section. We can also disable vpn-idle-timeout which is 30min by default.

group-policy 75.75.75.2 internal
group-policy 75.75.75.2 attributes
 vpn-tunnel-protocol ikev1
 vpn-idle-timeout none
 exit

Then create tunnel-group, specify group-policy and a KEY.

tunnel-group 75.75.75.2 type ipsec-l2l
tunnel-group 75.75.75.2 general-attributes
 default-group-policy 75.75.75.2
 exit
tunnel-group 75.75.75.2 ipsec-attributes
 ikev1 pre-shared-key EXAMPLE_KEY
 exit

• ASA 9.1(5) has the following default parameters: pre-shared auth, 3DES, SHA, DH group 2 (1024 bit), lifetime 86400 (24 hours). Technically, you can create it by issuing only ONE command “crypto ikev1 policy 1“.
• To check the result:

ASA# show run crypto ikev1
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
ASA#

• Enable IKEv1 on outside interface.

crypto ikev1 enable outside

• After that you will see that on some ASA models (5510 for instance) policy sequence 65535 will be created with the default parameters. So, technically, on some models (not all), you can issue just one command “crypto ikev1 enable outside” and you will get the following.

crypto ikev1 enable outside
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

Known issues

vpn-idle-timeout

• “vpn-idle-timeout” is 30min by default, could be different on different sides of L2L VPN (locally significant). You can see the reason of disconnection:

%ASA-5-713259: Group = 75.75.75.1, IP = 75.75.75.1, Session is being torn down. Reason: Idle Timeout

un-encrypted INVALID_COOKIE

• If you have NO tunnel-group configured for the remote IP address, you will get the following:

%ASA-5-713904: Group = 75.75.75.2, IP = 75.75.75.2, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: Group = 75.75.75.2, IP = 75.75.75.2, Information Exchange processing failed

• Reason: No proper tunnel-group and group-policy configured on far end, just check current configurations.

QM FSM error

%ASA-5-713119: Group = 75.75.75.2, IP = 75.75.75.2, PHASE 1 COMPLETED
%ASA-5-713904: Group = 75.75.75.2, IP = 75.75.75.2, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group = 75.75.75.2, IP = 75.75.75.2, QM FSM error (P2 struct &0xae432b50, mess id 0xee9d1cbd)!
%ASA-3-713902: Group = 75.75.75.2, IP = 75.75.75.2, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group = 75.75.75.2, IP = 75.75.75.2, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group = 75.75.75.2, Username = 75.75.75.2, IP = 75.75.75.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713904: IP = 75.75.75.2, Received encrypted packet with no matching SA, dropping

• Reason: PFS isn’t configured on far end.

Useful links to learn

Вебкаст на тему: “Некоторые аспекты построения отказоустойчивых Site-to-Site VPN на ASA” - презентация - MUST READ!
ASA-Fault-tolerant-L2L-VPNs-Webinar.pdf.
Understanding ASA IPSec and IKE debugs - IKEv1 Main Mode..
Cisco ASA 5500 Site to Site VPN (From CLI).
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example.
ASA 8.3 Upgrade - What You Need to Know.

Cisco ASA - AnyConnect VPN server - Initial configuration. [TESTED]

Test device is ASA 5510 with 9.1.(5).

CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 > Configuring AnyConnect VPN Client Connections.

License

ASA# show version | i ^AnyConnect
AnyConnect Premium Peers          : 250            perpetual
AnyConnect Essentials             : 250            perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
ASA#

It means that we can use either type of licenses (Premium or Essentials). Note: that Clientless SSL VPN (WebVPN) feature is required Prime license type. Here you can find a little bit more.

Basic setup

ASA# conf t

! Enable HTTP to HTTPS redirection (Optional):

ASA(config)# http redirect outside 80

! Enable WebVPN on outside interface:

ASA(config)# webvpn
ASA(config-webvpn)# enable outside
INFO: WebVPN and DTLS are enabled on 'outside'.
ASA(config-webvpn)# end
ASA#

! Verify:

ASA)# sh run webvpn
webvpn
 enable outside
 anyconnect-essentials
ASA#

After that you can try to login using locally configured user/pass:

conf t
 username USER password PASS privilege 0

If you enter correct login/pass you get “Clientless (browser) SSL VPN access is not allowed.” error. This is OK because you didn’t enabled “anyconnect” yet. Let’s do this, but before it we can upload and configure anyconnect package files:

webvpn
 anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg
 anyconnect enable

Now you can successfully login in to WebGUI. Normally you will see “AnyConnect Secure Mobility Client” window which will try to identify whether AnyConnect client is installed on your PC and etc…

But what happened if you install VPN Client and try to get access? Let’s see syslog messages

~
%ASA-6-113012: AAA user authentication Successful : local database : user = USER
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = USER
%ASA-6-113008: AAA transaction status ACCEPT : user = USER
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.username = USER
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.username1 = USER
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.username2 =
%ASA-7-734003: DAP: User USER, Addr 172.16.1.2: Session Attribute aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
%ASA-6-734001: DAP: User USER, Addr 172.16.1.2, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-6-725007: SSL session with client outside:172.16.1.2/52235 terminated.

As you can see, user/pass sequence is correct, but it’s not gonna work. VPN client says no just “Login failed.”, but more interesting message “Login denied, unauthorized connection mechanism, contact your administrator.“. As you can see, syslog messages have not much…

To solve this issue you have to create group-policy (or modify default one DfltGrpPolicy), associate this group with default tunnel-group DefaultWEBVPNGroup. Let’s create a new one group policy and related instances like ip pool:

ip local pool POOL_VPN 10.1.110.1-10.1.110.254 mask 255.255.255.0

group-policy GP_VPN internal
group-policy GP_VPN attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ssl-client
 default-domain value example.com
 address-pools value POOL_VPN
 exit

tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy GP_VPN
 exit

When it’s done login via preinstalled client will be successful, you will get IP address from predefined pool, NO split-tunnel (all traffic goes to VPN), remote destination must have a route to POOL_VPN address space because from ASA you traffic is coming out with original IP address (POOL_VPN). If destination peer knows that POOL_VPN address space is available via internal IP of ASA - it will work. The second variant is to play with NAT (out of scope of this little note).

To enable split-tunnel:

conf t

access-list ACL_VPN_ROUTES standard permit 10.1.1.0 255.255.255.0
access-list ACL_VPN_ROUTES standard permit 10.1.2.0 255.255.255.0
access-list ACL_VPN_ROUTES standard permit 10.1.3.0 255.255.255.0
access-list ACL_VPN_ROUTES standard permit 10.1.4.0 255.255.255.0

group-policy GP_VPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_VPN_ROUTES
 exit

Setup “Windows Server 2012 R2” as Domain Controller and RADIUS server

Windows Server 2012: Set Up your First Domain Controller (step-by-step).
ASA VPN User Authentication against Windows 2008 NPS Server (Active Directory) with RADIUS Configuration Example.

Adding NPS role/feature and its configuration is pretty simple, but there’s one very important thing - “Unencryption authentication (PAP, SPAP)” MUST be enabled in NPS policy settings.

Apply RADIUS servers

Add RADIUS servers:

aaa-server RADIUS-VPN protocol radius
 exit
aaa-server RADIUS-VPN (inside) host 10.1.1.5
 key SECRET_KEY
 exit
aaa-server RADIUS-VPN (inside) host 10.1.1.6
 key SECRET_KEY
 exit

Test them:

ASA# ping inside 10.1.1.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA#
ASA# ping inside 10.1.1.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA#
ASA# test aaa-server authentication RADIUS-VPN host 10.1.1.5 username USERNAME
Password: **********
INFO: Attempting Authentication test to IP address <10.1.1.5> (timeout: 12 seconds)
INFO: Authentication Successful
ASA#
ASA#
ASA# test aaa-server authentication RADIUS-VPN host 10.1.1.6 username USERNAME
Password: **********
INFO: Attempting Authentication test to IP address <10.1.1.6> (timeout: 12 seconds)
INFO: Authentication Successful
ASA#

Apply RADIUS server to the default tunnel-group DefaultWEBVPNGroup:

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group RADIUS-VPN

Complete setup in proper sequence

...TODO...

• Upload anyconnect .pkg images.

! Apply images. It takes time, CLI will hangup for a while.

webvpn
 anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
 anyconnect image disk0:/anyconnect-linux-3.1.06079-k9.pkg 2
 anyconnect image disk0:/anyconnect-macosx-i386-3.1.06079-k9.pkg 3
 exit

! Enable anyconnect service.

webvpn
 anyconnect enable
 exit

! Enable webvpn service.

webvpn
 enable outside
 exit

! Enable HTTP-to-HTTPS redirection.

http redirect outside 80

Cisco ASA - HTTP to HTTPS redirection.

You can use “HTTP to HTTPS redirection” for WebVPN, ASDM, etc. Please take a look at command reference for “http redirect” command.

ASA# conf t
ASA(config)# http redirect outside 80
ASA(config)# end
ASA# sh run http
http server enable
http redirect outside 80
ASA#

BTW, if you have HTTP server disabled (for example, you do not use ASDM), it’s fine because “http server enable” is NOT required for http redirection feature.

Cisco ASA - Clientless SSL VPN (WebVPN) and anyconnect-essentials.

During applying new license on ASA you get the following warning:

**********************************************************************
WARNING: AnyConnect Essentials license active. Basic VPN support is
in effect. For specific details, please refer to Cisco AnyConnect VPN
Client Administrator Guide.
**********************************************************************

If you apply license with anyconnect-essentials enabled, ASA will turn it on automatically. That means if you have SSL VPN (WebVPN) configured on your production VPN server, after applying new license SSL VPN users will get “Clientless (browser) SSL VPN access is not allowed.” error.

%ASA-6-734001: DAP: User user, Addr ipaddr, Connection connection: The following DAP records were selected for this connection: DAP record names
 %ASA-4-722049: Group group User user IP ip Session terminated: SVC not enabled or invalid image on the ASA.

Note, that 722049 is an error and ASDM marks this message as amber. BTW, the list of all available syslog messages can be found here.

To restore functionality:

conf t
 webvpn
  no anyconnect-essentials

Some general info from CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 > Clientless SSL VPN Overview:

• The AnyConnect Essentials license enables AnyConnect VPN client access to the ASA. This license does not support browser-based SSL VPN access or Cisco Secure Desktop. For these features, activate an AnyConnect Premium license instead of the AnyConnect Essentials license.

• Note: With the AnyConnect Essentials license, VPN users can use a Web browser to log in, and download and start (WebLaunch) the AnyConnect client.

• The AnyConnect client software offers the same set of client features, whether it is enabled by this license or an AnyConnect Premium SSL VPN Edition license.

• The AnyConnect Essentials license cannot be active at the same time as the following licenses on a given ASA: AnyConnect Premium license (all types) or the Advanced Endpoint Assessment license. You can, however, run AnyConnect Essentials and AnyConnect Premium licenses on different ASAs in the same network.

• By default, the ASA uses the AnyConnect Essentials license, but you can disable it to use other licenses by using the no anyconnect-essentials command.

Admin area