AnyConnect not able to establish a connection to the specified secure gateway

/1 Comment/in /by

AnyConnect was not able to establish a connection to the specified secure gateway – Cisco VPN Linux / RedHat and RHEL / Ubuntu, Debian:

Scenario:

When using the Linux Cisco AnyConnect client x64 (like MAC, Ubuntu, Redhat RHEL and Debian) you might get the error above or if you connect through command like you might get the following errors:

>/opt/cisco/anyconnect/bin/vpn connect vpn.domain.com
Cisco AnyConnect Secure Mobility Client (version 3.1.02043) .

Copyright (c) 2004 - 2013 Cisco Systems, Inc.  All Rights Reserved.

  >> state: Disconnected
  >> state: Disconnected
  >> notice: Ready to connect.
  >> registered with local VPN subsystem.
  >> contacting host (vpn.domain.com) for login information...
  >> notice: Contacting vpn.domain.com.
VPN> AnyConnect cannot verify the VPN server: vpn.domain.com
Connecting to this server may result in a severe security compromise!
AnyConnect is configured to block untrusted VPN servers by default.  
Most users choose to keep this setting.
If this setting is changed, 
AnyConnect will no longer automatically block connections to potentially malicious network devices.

Change the setting that blocks untrusted connections? [y/n]: y

Changing this VPN Preference may result in a severe security compromise!

Change the setting that blocks untrusted connections? [y/n]: y
  >> warning: Connection attempt has failed.
  >> state: Disconnected


>sudo /opt/cisco/anyconnect/bin/vpn connect vpn.domain.com
Cisco AnyConnect Secure Mobility Client (version 3.0.07059) .

Copyright (c) 2004 - 2012 Cisco Systems, Inc.
All Rights Reserved.


>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (vpn.domain.com) for login information...
>> notice: Contacting vpn.domain.com.
VPN>
>> Please enter your username and password.
Group: VPNGroup

Username: [UserName] UserName
Password:
>> state: Connecting
>> notice: Establishing VPN session...
>> error: AnyConnect was not able to establish a connection to the 
specified secure gateway. Please try connecting again.
>> notice: Connection attempt has failed.
>> state: Disconnected

Resolution:

1- Before you start troubleshooting the issue on the client side, make sure SSL certificates are installed and configured properly on the ASA. Go to http://www.digicert.com/help/ and test your server SSL certificate, if you see any issues, talk to your system admin to fix. In addition to your company SSL certificate, intermediate certificate from the ssl provider needs to be installed on the asa too, and that web tool can show you any issues in that regard (this is a common issue – missing intermediate cert) .

2- Important: Upgrade to the latest Cisco AnyConnect client. You can download that from the cisco TAC site but you need a username and a password. The latest version of Anyconnect as of this article is 3.1.04066.

3- In one of the cases the Cisco ASA had a Go Daddy SSL Certificate. Copying Go Daddy certificate from that Linux SSL Certificate folder to Cisco SSL certificate folder on the linux machine forced Anyconnect to trust that certificate.

sudo cp /etc/ssl/certs/Go* /opt/.cisco/certificates/ca/

If you are using a different 3rd party SSL certificate on the ASA, then you need to copy that certificate the same way

You can also copy all the certificates from /etc/ssl/certs/ to /opt/.cisco/certificates/ca/ if you are not sure what certificate you are using.

If you get this error in Windows make sure you stop Internet Sharing service in Windows services

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Downgrading Windows 8 to Windows 7 Freezes and hangs

/0 Comments/in /by

Downgrading Windows 8 to Windows 7 Freezes and hangs – How to install Windows 7:

Scenario:

I had a brand new HP ProBook 4440s Laptop that came preloaded with Windows 8. Customer wanted to downgrade it to Windows 7 x64 but during the very initial steps of the Windows 7 installation, the Windows installation screen would freeze and it wouldn’t go on:

Resolution:

That was basically a BIOS UEFI setting. Reboot PC and go to BIOS, go to System Configuration, Boot Options and change setting there to “Legacy” mode. Change setting, save and reboot. That should fix it. Try installing Windows 7 again and it should work this time.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

The directory service is missing mandatory configuration

/3 Comments/in /by

The operation failed because: Active Directory Domain Services could not transfer the remaining data in directory partition DC=ForestDnsZones,DC=domain-name,DC=com to Active Directory Domain Controller \\DC.domain-name.com.
“The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.”

Scenario:

When trying to demote one of Windows 2008 Domain Controllers, you get the above error message.

Resolution:

Copy the script below into a file and call it Script.vbs.

const ADS_NAME_INITTYPE_GC = 3
const ADS_NAME_TYPE_1779 = 1
const ADS_NAME_TYPE_CANONICAL = 2

set inArgs = WScript.Arguments

if (inArgs.Count = 1) then
' Assume the command line argument is the NDNC (in DN form) to use.
NdncDN = inArgs(0)
Else
Wscript.StdOut.Write "usage: cscript fixfsmo.vbs NdncDN"
End if

if (NdncDN <> "") then

' Convert the DN form of the NDNC into DNS dotted form.
Set objTranslator = CreateObject("NameTranslate")
objTranslator.Init ADS_NAME_INITTYPE_GC, ""
objTranslator.Set ADS_NAME_TYPE_1779, NdncDN
strDomainDNS = objTranslator.Get(ADS_NAME_TYPE_CANONICAL)
strDomainDNS = Left(strDomainDNS, len(strDomainDNS)-1)

Wscript.Echo "DNS name: " & strDomainDNS

' Find a domain controller that hosts this NDNC and that is online.
set objRootDSE = GetObject("LDAP://" & strDomainDNS & "/RootDSE")
strDnsHostName = objRootDSE.Get("dnsHostName")
strDsServiceName = objRootDSE.Get("dsServiceName")
Wscript.Echo "Using DC " & strDnsHostName

' Get the current infrastructure fsmo.
strInfraDN = "CN=Infrastructure," & NdncDN
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo is " & objInfra.fsmoroleowner

' If the current fsmo holder is deleted, set the fsmo holder to this domain controller.

if (InStr(objInfra.fsmoroleowner, "\0ADEL:") > 0) then

' Set the fsmo holder to this domain controller.
objInfra.Put "fSMORoleOwner", strDsServiceName
objInfra.SetInfo

' Read the fsmo holder back.
set objInfra = GetObject("LDAP://" & strInfraDN)
Wscript.Echo "infra fsmo changed to:" & objInfra.fsmoroleowner

End if
End if

 

Now go to command line on that DC and run the script by typing the following:

cscript Script.vbs DC=ForestDNSZones,DC=contoso,DC=com

Where:
DC=costoso is the Windows Domain. My Windows Domain was called Domain1.com so I replaced costoso with Domain1. So the command for me was:

cscript Script.vbs DC=ForestDNSZones,DC=Domain1,DC=com

Now try the dcpromo again.

If that doesn’t work go to command line and type:

DCPromo out fails with: The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles. | zero hour sleep 

dsquery * CN=Infrastructure,DC=ForestDnsZones,DC=domain,DC=int -attr fSMORoleOwner

and see if the result show an old DC you had and had demoted previously but still have traces in domain.  Use edsiedit to clean up remove that DC.  
the following article might help you

http://www.zerohoursleep.com/2011/07/dcpromo-out-fails-with-the-directory-service-is-missing-mandatory-configuration-information-and-is-unable-to-determine-the-ownership-of-floating-single-master-operation-roles/

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

BurFlags – D4

/in /by

Reinitializing/Forcing File Replication Service FRS using Registry key BurFlags D4:

Have you been in the situation where you’re unable to replicate AD changes made across 2003 Domain Controllers? I have been there several times, and the last time was when I was attempting to transfer the Global Catalog role for an Exchange Server migration, however any AD changes I had made never replicated across DCs. Also had failing SYSVOL replication problems. The only thing that worked for me was when I did an Authoritative FRS restore by changing the BurFlags registry key to D4 and then restarting the File Replication service – that was done on the DC that had replication and SYSLOG issues.

BurFlags registry key contains REG_DWORD values, and is located in the following location in the registry:
“HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\ Backup/Restore\Process at Startup”

The most common values for the BurFlags registry key are:

D2: also known as a non-authoritative mode restore.
D4: also known as an authoritative mode restore.

Changing the BurFlags key to D4 will reinitialize replication.

For more instructions, please refer to the following Knowledgebase article:

http://support.microsoft.com/kb/290762

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Registry Caution: Do not use registry editor to edit the registry directly unless you have no alternative and directed by Microsoft. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows. We recommend you have a full backup of the system before making changes to registry. Do it at your risk. bostonIT doesn’t assume any unintended consequences.

Cisco ASA rommon – Error 15: File not found unable to boot an image

/in /by

Cisco ASA rommon – Error 15: File not found unable to boot an image:

The above error could be occurring on startup because the ASA didn’t have a boot file image, loaded with the wrong boot image or configured to boot from unavailable source. It might also be a hardware issue with the ASA like a bad flash which means you would have to take it with Cisco or a hardware support provider!

The following instructions will walk you through how to configure the ASA in rommon to boot from a TFTP server, load it to normal mode, copy boot image file from TFTP to ASA again, and then re-load it to boot normally.

– We will assign the ASA Ethernet 0/0 IP 10.1.1.200.
– The name of the Cisco ASA Image file that will be uploaded to the ASA through TFTP is asa-k9.bin.
– Connect the ASA ethernet 0/0 and your computer ethernet to the same network switch.
– Download and install a free TFTP server on your computer and put the asa image asa-k9.bin on the root directory of the tftp server. TFTP server is a very simple software that you can google and download one. www.solarwinds.com has one for instance.
– The ASA and computer are connected to the same network. We are going to use Ethernet0/0 of the asa. The IP Address of TFTP Server (your machine) will be 10.1.1.100 (So you need to manually assign your machine the IP Address 10.1.1.100 and Subnet Mask 255.255.255.0 – No need to assign a gateway or a DNS)

Connect your computer through console to ASA, while the firewall is booting and once you are prompted to “Use BREAK or ESC to interrupt boot”, hit escape and that takes you to rommon: (rommon is like Safe Mode in Windows). Start typing the following:

rommon #0> PORT=ETHERNET0/0
Ethernet0/0
Link is UP MAC Address: 0005-9858-df5g-e21d
rommon #1> ADDRESS=10.1.1.200
rommon #2> SERVER=10.1.1.100
rommon #3> GATEWAY=10.1.1.100
rommon #4> IMAGE=asa-k9.bin
rommon #5> tftp

Booting starts automatically…

Go into enable mode with blank password
ciscoasa# en
hit enter

Go to the Config Mode
ciscoasa# Conf t
hit enter

You might want to format the flash here. Formatting the flash will erase everything on it including OS images and config files which means you will need to load IOS (as explained below). And after you boot normally, you will need to manually reconfigure the asa unless you have a backup configuration to work with.
ciscoasa(config)# format flash
ciscoasa(config)# wr mem

Assign an IP Address to the firewall, default route and copy image file from TFTP:
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# ip address 10.1.1.200 255.255.0.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# exit
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.1.1.200
ciscoasa(config)# copy tftp: flash:
.
.
.
ciscoasa# write mem

Find out the config register of the ASA, change it to 0x1 to make sure it boots up from flash not TFTP and change boot file name to match the one uploaded to ASA.

ciscoasa# show version
 Look toward the end of “show version” and you should see something similar to:
Configuration register is 0x2014

Change Config-Register to 0x1
ciscoasa#Conf t
ciscoasa#(config)> config-register 0x1

ciscoasa#(config)>boot system flash:/asa-k9.bin (if you have different .bin image name, update it here)

Save and reboot.
ciscoasa#Wr mem
ciscoasa#Reload

This will restart the ASA.

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Windows server 2008 crashes at startup – c00002e2

/in , /by

STOP: c00002e2 Directory Services could not start because of the following error: a device attached to the system is not functioning.

Applies to: Windows Server 2008, Windows Server 2008 R2 with Exchange 2007 installed on single node.

You might face this issue while you are running your daily work, first you will panic and think that there is a huge problem and your domain controller is failing, not to mention the heat you will face if that domain controller machine is hosting your exchange 2007 too, which is typically the scenario I have seen in small business environment.

Cause: 

This problem occurs because one or more of the following conditions are true:

– The NTFS file system permissions on the root of the drive are too restrictive.

– The NTFS file system permissions on the NTDS folder are too restrictive.

– The drive letter of the volume that contains the Active Directory database has changed.

– The Active Directory database (Ntds.dit) is corrupted.

– The NTDS folder is compressed.

Troubleshooting steps:

  1. Boot into Directory Services Restore Mode (F8). You might need to do it twice if you have an error on your HDD.
  2. Run CHKDSK in read only mode to verify that there are no errors on your hard drive. If the system prompts you that there was an error on the hard disk, then feel safe to run /R command CHKDSK /R will not ruin your hard disk data, so don’t believe all the myths said.
    1. Boot again into Directory Services Restore Mode (F8).
    2. Go to command prompt (administrative privileges) and run the following command:
    3. NTDSUTIL
    4. activate instance NTDS
    5. files info

You will see an error similar to the following:

“Error: Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113”

Event log: 

  • Error 1003: Active Directory Domain Services could not be initialized. The directory service cannot recover from this error. Restore the local directory service from backup media. Error value: -501 JET_errLogFileCorrupt, Log file is corrupt
  • Error 465: NTDS (2156) Corruption was detected during soft recovery in logfile C:\Windows\NTDS\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 6697 (0x00001A29). This logfile has been damaged and is unusable.
  • Error 454: NTDS (2256) Database recovery/restore failed with unexpected error -501.

Solution: 

The solution of this error is very simple and will be done in one step:

Go to C:\Windows\NTDS folder and rename all *.log files to .old and restart system.

Example, edb.log should be renamed to edb.log.old

This will solve the issue and your active directory domain services will be started again.

It might be wise in this phase to consider replacing your HDD and checking your GPO policies, if you see any more file corruption.

If you find this article helpful, please send us a note to WDallal@bostonIT.com so we can keep on adding quality hands-on articles.

Recover Deleted Items Outlook 2010

/in /by

Recover Deleted Items is not available/missing – Outlook 2010 – Exchange and Office 365

Scenario:

When you right-click on Deleted Items in Outlook 2010, you don’t see an option to Recover Deleted Items (the way it used to be with Office 2003/2007).

Resolutions:

To get to “Recover Deleted Items”, please click on the Folder tab on the Outlook tool bar (You should see 5 tabs; File, Home, Send/Receive, Folder and View). When you click on the Folder tab you should see a button called Recover Deleted Items.

You can also get to “Recover Deleted Items” by going to OWA or Microsoft Online Portal, right click on Deleted Items folder in the Folder list, Recover Deleted Items will be one of the options there.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.

Windows Updates Fail – Error 80070216

/in /by

Windows 7 – Windows Update keeps failing with Error 80070216

Scenario:

When trying to install Windows updates on a Windows 7, it keeps failing with the error above.

Resolutions:

Machine is infected with a rootkit or a virus. Download and run Kaspersky TDSSKiller, then download and run Combofix (you can google them). These two tools will clean-up your machine. Windows Update should work after that.

If you find this article helpful, please send me a note to Mike@bostonIT.com and so I can keep on adding more hands-on knowledgebase articles.

Anyconnect Memory Locks up and Cert8

/in , /by

AnyConnect Locks up on Linux before it finally connects because of high memory usage that could go up to 100%. Machine would need to be rebooted to recover. Kubuntu, Ubuntu and Linux.

Scenario:

When using the Linux Cisco AnyConnect client x64 (like Kubuntu), memory usage gradually starts going up until it’s all used up. Anyconnect won’t connect.

I ran the VPN client within gdb to try and get a sense of what it was doing when trying to allocate so much memory.

Thread 3 of the process below is the only active thread and you can see that it is performing certificate related activities. Below are more related logs that I have collected

 

(gdb) thread 3
[Switching to thread 3 (Thread 0x7ffff28b3700 (LWP 3656))]
#0 0x00007ffff49f8180 in PR_Free () from /usr/lib/x86_64-linux-gnu/libnspr4.so
(gdb) bt
#0 0x00007ffff49f8180 in PR_Free () from /usr/lib/x86_64-linux-gnu/libnspr4.so
#1 0x00007ffff35bab1a in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#2 0x00007ffff35bcb15 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#3 0x00007ffff35be6eb in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#4 0x00007ffff35c3880 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#5 0x00007ffff35c413b in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#6 0x00007ffff35c41e7 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#7 0x00007ffff35bf262 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#8 0x00007ffff35bf751 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libnssdbm3.so
#9 0x00007ffff3a9c8e2 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
#10 0x00007ffff3a87e75 in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
#11 0x00007ffff3a8c78c in ?? () from
/usr/lib/x86_64-linux-gnu/nss/libsoftokn3.so
#12 0x00007ffff52b0d60 in ?? () from /usr/lib/x86_64-linux-gnu/libnss3.so
#13 0x00007ffff52aa4d2 in ?? () from /usr/lib/x86_64-linux-gnu/libnss3.so
#14 0x00007ffff5272091 in CERT_GetCertNicknames () from /usr/lib/x86_64-linux-gnu/libnss3.so
#15 0x00007ffff5272149 in CERT_FindUserCertsByUsage () from /usr/lib/x86_64-linux-gnu/libnss3.so
#16 0x00007ffff7844cc5 in CNSSCertStore::Enumerate(eCertType,
std::list<CCertificate*, std::allocator<CCertificate*> >&) () from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#17 0x00007ffff7818474 in CCollectiveCertStore::Enumerate(eCertType,
std::list<CCertificate*, std::allocator<CCertificate*> >&) () from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#18 0x00007ffff781363c in CCertStore::GetCertificates(CERT_ENTRY*,
CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*>
>&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#19 0x00007ffff7818575 in
CCollectiveCertStore::GetCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#20 0x00007ffff780fb1c in
CCertHelper::GetClientCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&, unsigned int) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#21 0x00007ffff7abb5d9 in ApiCert::getCertList(CERT_ENTRY*, CCertNameList*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#22 0x00007ffff7abbcb5 in ApiCert::getCertList(CERT_ENTRY*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#23 0x00007ffff7ace406 in ConnectMgr::resetCertRegistration(std::string) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#24 0x00007ffff7ae565b in ConnectMgr::setConnectionData(std::string
const&) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#25 0x00007ffff7aed002 in ConnectMgr::initiateConnect(std::string
const&, bool) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#26 0x00007ffff7af3c1a in ConnectMgr::run() () from /opt/cisco/anyconnect/lib/libvpnapi.so
#27 0x00007ffff7ac608a in ApiThread::threadProcedure(void*) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#28 0x00007ffff6753e9a in start_thread (arg=0x7ffff28b3700) at
pthread_create.c:308
#29 0x00007ffff5c6eccd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112

SYSLOG logs:

std::list<CCertificate*, std::allocator<CCertificate*> >&) () from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#18 0x00007ffff781363c in CCertStore::GetCertificates(CERT_ENTRY*,
CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*>
>&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#19 0x00007ffff7818575 in
CCollectiveCertStore::GetCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#20 0x00007ffff780fb1c in
CCertHelper::GetClientCertificates(CERT_ENTRY*, CCertNameList*, std::list<CCertificate*, std::allocator<CCertificate*> >&, unsigned int) ()
from /opt/cisco/anyconnect/lib/libvpncommoncrypt.so
#21 0x00007ffff7abb5d9 in ApiCert::getCertList(CERT_ENTRY*, CCertNameList*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#22 0x00007ffff7abbcb5 in ApiCert::getCertList(CERT_ENTRY*, std::string const&, ConnectProtocolType) () from /opt/cisco/anyconnect/lib/libvpnapi.so
#23 0x00007ffff7ace406 in ConnectMgr::resetCertRegistration(std::string) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#24 0x00007ffff7ae565b in ConnectMgr::setConnectionData(std::string
const&) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#25 0x00007ffff7aed002 in ConnectMgr::initiateConnect(std::string
const&, bool) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#26 0x00007ffff7af3c1a in ConnectMgr::run() () from /opt/cisco/anyconnect/lib/libvpnapi.so
#27 0x00007ffff7ac608a in ApiThread::threadProcedure(void*) ()
from /opt/cisco/anyconnect/lib/libvpnapi.so
#28 0x00007ffff6753e9a in start_thread (arg=0x7ffff28b3700) at
pthread_create.c:308
#29 0x00007ffff5c6eccd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:112

The relevant portion of the syslog follows. Note that the kernel experiences a page allocation failure shortly after the VPN connection is initiated.

Oct 31 15:08:01 Kubuntu acvpncli[1509]: Initializing vpnapi version
3.1.04072 ().
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: loadProfiles File:
../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: getCurrentState
File: ../../vpn/Api/ClientIfcBase.cpp Line: 2058 API service not ready Oct 31 15:08:01 Kubuntu acvpncli[1509]: Current Preference Settings:
ServiceDisable: false CertificateStoreOverride: false CertificateStore:
All ShowPreConnectMessage: false AutoConnectOnStart: false
MinimizeOnConnect: true LocalLanAccess: true AutoReconnect: true
AutoUpdate: true ProxySettings: Native AllowLocalProxyConnections: true
PPPExclusion: Disable PPPExclusionServerIP: EnableScripting: false
TerminateScriptOnNextEvent: false AuthenticationTimeout: 12
IPProtocolSupport: IPv4,IPv6 AllowManualHostInput: true
BlockUntrustedServers: false PublicProxyServerAddress:
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
OnNegotiateMessageTypesComplete File: ../../vpn/Api/ApiIpc.cpp Line: 726 Master Agent Connection started.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: VPN state: Disconnected Network state: Network Accessible Network control state: Network Access:
Available Network type: Undefined
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
setConnectRequestComplete File: ../../vpn/Api/ConnectMgr.cpp Line: 9133 Connect request complete. Proceeding to cleanup.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
activateConnectEvent File: ../../vpn/Api/ConnectMgr.cpp Line: 1352 NULL object. Cannot establish a connection at this time.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Message type information sent to the user: Ready to connect.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: attach File:
../../vpn/Api/ClientIfcBase.cpp Line: 629 Client successfully attached.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: WMHintCB File:
../../vpn/Api/ClientIfc.cpp Line: 146 User did not implement WMHintCB.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: WMHintCB File:
../../vpn/Api/ClientIfc.cpp Line: 146 User did not implement WMHintCB.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: An SSL VPN connection to MyVPN.Server.com has been requested by the user.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 793 No profile available for host MyVPN.Server.com.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: getHostInitSettings
File: ../../vpn/Api/ProfileMgr.cpp Line: 873 Profile () not found. Using default settings.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
deliverWebLaunchHostCB File: ../../vpn/Api/ClientIfc.cpp Line: 152 User did not implement deliverWebLaunchHostCB.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: loadProfiles File:
../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 793 No profile available for host MyVPN.Server.com.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Using default preferences.
Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function:
getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 793 No profile available for host MyVPN.Server.com.
Oct 31 15:08:01 Kubuntu acvpncli[1509]: Function: getHostInitSettings
File: ../../vpn/Api/ProfileMgr.cpp Line: 873 Profile () not found. Using default settings.
Oct 31 15:08:03 Kubuntu kernel: [395314.511185] kworker/u:2: page allocation failure: order:1, mode:0x4020

 

Resolution:

After troubleshooting, it turned out that Firefox cert8.db might have been corrupted (Anyconnect relies on some components of Firefox especially certs), In the case above, anyconnect is just not liking something about that file on this particular machine, or the issue might be an undocumented bug in Anyconnect on Kubuntu or Linux in general

Renaming the following two files allowed me to correct the issue (make sure you close Firefox first)

/home/Kubuntu/.mozilla/firefox/8n6w3k0u.default/cert8.db

/home/Kubuntu/.mozilla/firefox/8n6w3k0u.default/key3.db

After you rename the two files, start Firefox once and it will auto-recreate them.

Note: those files are profile specific, i.e. if you login to the machine with a different user and start Anyconnect, you might not face the same issue.

If you find this article helpful, please send us a note to Mike@bostonIT.com so I can keep on adding quality hands-on articles.

Cisco RV082 NAT Example

/in /by

Cisco RV082 One To One NAT – Access Rules Example

Example:
Public IP Address: 75.75.75.75
Private IP Address: 192.168.1.10

In this example we will NAT 192.168.1.10 to 75.75.75.75 and open up TCP Port 23 (Telnet) to the inside host from outside.

– Login to the Cisco RV 082 through the browser
– On the left click on Setup then One-To-One NAT
– Click Enable One-To-One NAT. In the Private Range Begin: fill in192.168.1.10. In the Public Range Begin type 75.75.75.75. In theRange Length type 1. Click Add to List. Click Save.

Click on Firewall on the left.. Click Access Rules. Click Add.
For Action click Allow
For Service choose TELNET TCP 23-23
For Log: choose the option you want
For Source: choose the outside interface of the Router. In my case it isWAN 1
For Source IP: Choose ANY (if you would like it to be available to anyone on the Internet
For Destination: Choose the Inside IP address of the NAT 192.168.1.10 (NOT The Public IP Address)
Click Save

Now create a new rule to deny any other access to the NAT’d host:
Click on Firewall on the left.. Click Access Rules. Click Add.
For Action click Deny
For Service choose Any
For Log: choose the option you want
For Source: choose the outside interface of the Router. In my case it isWAN 1
For Source IP: Choose ANY (if you would like it to be available to anyone on the Internet
For Destination: Choose the Inside IP address of the NAT 192.168.1.10 (NOT The Public IP Address)
Click Save

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.