MITA End-User VPN Troubleshooting Guide
01.
Introduction
MITA VPN users can be assigned one of two types of profiles – Client-Based or Web-Based, depending on the type of access required. When logging on to the MITA VPN Portal https://vpn.secure.gov.mt, the user’s type of profile will be detected automatically. If the account is based on a web interface, the user will be directed to the VPN’s web interface, while if the user’s account is based on the client software, the installation will be triggered automatically. The setup will detect the Operating System and install the appropriate VPN Client Software version. Java and/or ActiveX might be required. Alternatively, the MITA VPN Software can be downloaded from http://vpn.mita.gov.mt.
This document provides brief descriptions (and screenshots) of the errors that might be encountered when using Cisco AnyConnect software, and how to proceed in solving the issue.
Error – The exact error wording given by the software Cause – What might be causing the issue
Solution – Suggested action to solve the issue
The easiest way look for a specific error is by using the Search function of the document (Ctrl + F), and type part or the entire message appearing in the Error dialogue box.
02.
Error Details for MITA VPN Cisco AnyConnect Client Software
02.1
Error: AnyConnect is not enabled on the VPN server
Cause: The VPN Account is associated with a profile which existed prior to the VPN migration project.
02.2
Error: Login Failed
Cause: Incorrect credentials are being inserted or the Security Token status is invalid. Solution:
Confirm that the correct credentials are being inserted: o Username in the Username field (no CORP\)
o CORP Password (case sensitive and no spaces) + Number on the Security Token in the Password field
If the error persists, contact MITA Service Call Centre to check the Security Token status.
02.3
Error: Connection attempt failed
Cause: Incorrect credentials are being inserted, or the Security Token status is invalid. Solution:
Confirm that the correct credentials are being inserted: o Username in the Username field (no CORP\)
o CORP Password (case sensitive and no spaces) + Number on the Security Token in the Password field
02.4
Error:
1
stDialogue Box - The Secure Gateway has rejected the connection attempt. A new connection attempt
to the same or another secure gateway is needed, which requires re-authentication.
The following message was received from the secure gateway: Host or network is 0
2
ndDialogue Box - AnyConnect was not able to establish a connection to the specified secure gateway.
Please try connecting again.
Cause: The user’s workstation was assigned an invalid IP while trying to connect to the VPN. The IP is either duplicate or empty.
02.5
Error: The VPN connection is not allowed via a local proxy. This can be changed through
AnyConnect profile settings.
Cause: AnyConnect prevented the use of a local proxy to establish a VPN Connection. Solution: Remove the local proxy settings and try a new VPN connection.
The proxy settings in Internet Explorer can be changed as follows: 1. Click the Tools button, and then click Internet Options. 2. Click the Connections tab, and then click LAN settings. 3. Deselect the Use a proxy server for your LAN check box. 4. Select the Automatically detect settings check box.
5. When finished making changes, click OK until you return to Internet Explorer.
02.6
Error:
1
stDialogue Box - The VPN client driver has encountered an error.
2nd Dialogue Box - AnyConnect was not able to establish a connection to the specified secure gateway.
Please try connecting again.
Cause: Cisco AnyConnect software was corrupted during installation, either because an error occurred during the installation or because it was interrupted while being installed. This error might also be caused due to Cisco bug (ID CSCsm54689) or a recent Microsoft update to the certclass.inf file. Solution:
Make sure that Routing and Remote Access Service is disabled before starting AnyConnect. If this does not resolve the issue, complete the following steps:
1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista). 2. Run net stop CryptSvc.
3. Run
esentutl /p %systemroot%\System32\catroot2\{F750E6C3−38EE−11D1−85E5−00C04FC295EE}\catdb4. When prompted, choose OK to attempt the repair. 5. Exit the command prompt.
6. Reboot workstation.
If repair fails, complete the following steps:
1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista). 2. Run net stop CryptSvc
.
3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory. 4. Exit the command prompt.
5. Reboot.
One can analyze the database at any time in order to determine if it is valid. 1. Open a command prompt as an Admimistrator on the PC.
02.7
Error: Could not connect to server. Please verify Internet connectivity and server address.
Cause: The user’s workstation has one of the following: No internet connection
Multi-network connectivity (eg. connected to a WiFi network and via UTP simultaneously) Government Network (at work)
SOHO Router (Router provided by MITA at the user’s home)
02.8
Error: AnyConnect was not able to establish a connection to the specified secure gateway.
Please try connecting again.
Cause:
DNS Failure
Bridged connections (Wired and Wireless) Solution:
Insert IP 217.71.180.126 instead of vpn.secure.gov.mt, and click Connect If the above does not work, try to resolve vpn.secure.gov.mt in Command Prompt
1. Click on Start, and select Run 2. Type cmd, and click OK
3. Type nslookup vpn.secure.gov.mt 4. The following should appear:
Name: vpn.secure.gov.mt Address: 217.71.180.126
Connect only to one type of connection. If using a laptop and it is connected via a network cable, make sure that its Wireless Network Card is disabled / switched off. This can be done in different ways, depending on the model.
02.9
Error: The VPN client agent was unable to create the interprocess communication depot.
Cause: Internet Connection Sharing (ICS) is enabled.
Solution: Disable Internet Connection Sharing for Windows Vista and Windows 7 by completing the following steps:
1. Open Network Connections by clicking the Start button , clicking Control Panel, clicking
Network and Internet, clicking Network and Sharing Center, and then clicking Manage Network Connections.
2. Right-click the Shared Network Connection, and then click Properties. If prompted for an administrator password or confirmation, type the password or provide confirmation by clicking Continue.
3. Click the Sharing tab, clear the Allow other network users to connect through this
computer's Internet connection check box, and then click OK.
02.10 Symptoms: User connects to VPN using Cisco AnyConnect, however the access to certain
services such as File Sharing or specific applications is slow or not permitted.
Cause: If connected to a Melita Private connection using a wireless modem (provided by Melita), a number of services / ports are blocked by the firewall on the wireless modem
Solution:
Contact Melita / modify the Wireless modem settings as follows: o Firewall TAB
Disable: IP Flood Detection Disable: Firewall Protection o Advanced TAB
02.11 Error: Failed to initialize connection subsystem.
Cause: The latest Windows Operating System (such as Windows 8.1) is incompatible. Solution:
1. Go to the Start Screen of Windows 8.1 and search for the Cisco AnyConnect Secure Mobility Client icon (or just type it on the Start Screen).
3. Right click the Cisco AnyConnect Secure Mobility Client (Shortcut) and select Properties.
4. Click on Compatibility tab
02.12 Producing a DART (Diagnostic AnyConnect Reporting Tool) Bundle
Sometimes certain troubleshooting is more difficult to perform and a DART Bundle will be required, in order to analyse the root cause of the problem, based on the logs recorded from the user’s Workstation.
The DART Software is automatically installed when a user logs on to MITA VPN for the first time using Cisco AnyConnect. It is important not to interrupt any installations or updates which are triggered automatically by the VPN software.
Reference:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac12managemonitortbs.ht ml#wp1058628
02.12.1 Running DART on Windows
To run the DART wizard and create a DART bundle for Windows, follow these steps (screenshots provided below):
1. Open Cisco AnyConnect and click Advanced.
2. Click the Statistics tab and then click the Diagnostics button at the top of the dialog box. 3. Click Next at the Welcome screen.
4. In the Bundle Creation Options area, select Default.
The Default option includes the typical log files and diagnostic information, such as the AnyConnect and Cisco Secure Desktop log files, general information about the computer, and a summary of what DART did and did not do.
5. By clicking Next at the bottom of the dialog box, DART immediately begins creating the bundle. This process might takes a few minutes – wait until it finishes.
6. Click Finish after DART finishes creating the bundle. The default name for the bundle is DARTBundle.zip, and by default it is saved to Desktop.
7. The zip file can be sent by email to MITA Service Call Centre or Network Services Team for further diagnoses.
Steps 4 & 5
03.
Error Details for MITA VPN Portal - WebVPN
03.1
Error: properJavaRDP error – Connection Exeption
Wrong Modulus size! Expected64+8got:264
Cause: Java does not support a Remote Desktop connection to 64-bit Operating Systems. ActiveX might be disabled. The user might not have Administrator privileges.
04.
Modification History
Version Date Author Comments
Draft 0.1 01/06/2011 Network Services Draft version for internal review Version 1.0 27/09/2012 Network Services First version for release
Version 1.2 17/02/2015 Network Services Updates related to method of Authentication and Compatibility
05.
Authorisation
Issuing Authority Approval Authority
Signature and Date: Signature and Date:
Name:
