01. Introduction MITA VPN users can be assigned one of two types of profiles Client-Based or Web-Based, depending on the type of access required. When logging on to the MITA VPN Portal https://vpn.secure.gov.mt, the user s type of profile will be detected automatically. If the account is based on a web interface, the user will be directed to the VPN s web interface, while if the user s account is based on the client software, the installation will be triggered automatically. The setup will detect the Operating System and install the appropriate VPN Client Software version. Java and/or ActiveX might be required. Alternatively, the MITA VPN Software can be downloaded from http://vpn.mita.gov.mt. This document provides brief descriptions (and screenshots) of the errors that might be encountered when using Cisco AnyConnect software, and how to proceed in solving the issue. Error The exact error wording given by the software Cause What might be causing the issue Solution Suggested action to solve the issue The easiest way look for a specific error is by using the Search function of the document (Ctrl + F), and type part or the entire message appearing in the Error dialogue box. 02. Error Details for MITA VPN Cisco AnyConnect Client Software 02.1 Error: AnyConnect is not enabled on the VPN server Cause: The VPN Account is associated with a profile which existed prior to the VPN migration project. Solution: The user should contact MITA Service Call Centre, so that the Networks Team associates the VPN account with a profile which was created on the new VPN setup. Security Classification: Unclassified 1 of 15
02.2 Error: Login Failed Cause: Incorrect credentials are being inserted or the Security Token status is invalid. Solution: Confirm that the correct credentials are being inserted: o Username in the Username field (no CORP\) o CORP Password (case sensitive and no spaces) + Number on the Security Token in the Password field If the error persists, contact MITA Service Call Centre to check the Security Token status. 02.3 Error: Connection attempt failed Cause: Incorrect credentials are being inserted, or the Security Token status is invalid. Solution: Confirm that the correct credentials are being inserted: o Username in the Username field (no CORP\) o CORP Password (case sensitive and no spaces) + Number on the Security Token in the Password field If the error persists, contact MITA Service Call Centre to check the Security Token status. 2 of 15
02.4 Error: 1 st Dialogue Box - The Secure Gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: Host or network is 0 2 nd Dialogue Box - AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. Cause: The user s workstation was assigned an invalid IP while trying to connect to the VPN. The IP is either duplicate or empty. Solution: The user shall try to connect to the VPN again. If the error persists, contact MITA Service Call Centre and quote the error given. 3 of 15
02.5 Error: The VPN connection is not allowed via a local proxy. This can be changed through AnyConnect profile settings. Cause: AnyConnect prevented the use of a local proxy to establish a VPN Connection. Solution: Remove the local proxy settings and try a new VPN connection. The proxy settings in Internet Explorer can be changed as follows: 1. Click the Tools button, and then click Internet Options. 2. Click the Connections tab, and then click LAN settings. 3. Deselect the Use a proxy server for your LAN check box. 4. Select the Automatically detect settings check box. 5. When finished making changes, click OK until you return to Internet Explorer. Solution 2: Disable any Anti-Virus or Internet Security Software prior to connecting to VPN. Software known to cause such error is Kaspersky Anti-Virus and Internet Security. 4 of 15
02.6 Error: 1 st Dialogue Box - The VPN client driver has encountered an error. 2nd Dialogue Box - AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. Cause: Cisco AnyConnect software was corrupted during installation, either because an error occurred during the installation or because it was interrupted while being installed. This error might also be caused due to Cisco bug (ID CSCsm54689) or a recent Microsoft update to the certclass.inf file. Solution: Make sure that Routing and Remote Access Service is disabled before starting AnyConnect. If this does not resolve the issue, complete the following steps: 1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista). 2. Run net stop CryptSvc. 3. Run esentutl /p %systemroot%\system32\catroot2\{f750e6c3 38EE 11D1 85E5 00C04FC295EE}\catdb 4. When prompted, choose OK to attempt the repair. 5. Exit the command prompt. 6. Reboot workstation. If repair fails, complete the following steps: 1. Open a command prompt as an Administrator on the PC (elevated prompt on Vista). 2. Run net stop CryptSvc. 3. Rename the %WINDIR%\system32\catroot2 to catroot2_old directory. 4. Exit the command prompt. 5. Reboot. One can analyze the database at any time in order to determine if it is valid. 1. Open a command prompt as an Admimistrator on the PC. 2. Run esentutl /g %systemroot%\system32\catroot2\{f750e6c3 38EE 11D1 85E5 00C04FC295EE}\catdb 3. Refer to System Catalog Database Integrity for more information. 5 of 15
02.7 Error: Could not connect to server. Please verify Internet connectivity and server address. Cause: The user s workstation has one of the following: No internet connection Multi-network connectivity (eg. connected to a WiFi network and via UTP simultaneously) Government Network (at work) SOHO Router (Router provided by MITA at the user s home) Solution: Connect the workstation to a proper internet connection, such as a MITA Fast Remote connection or private Internet connection. If connected to the Government Network or a SOHO Router, the VPN account is not required. If using a laptop and it is connected via a network cable, make sure that its Wireless Network Card is disabled / switched off. This can be done in different ways, depending on the model. 6 of 15
02.8 Error: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. Cause: DNS Failure Bridged connections (Wired and Wireless) Solution: Insert IP 217.71.180.126 instead of vpn.secure.gov.mt, and click Connect If the above does not work, try to resolve vpn.secure.gov.mt in Command Prompt 1. Click on Start, and select Run 2. Type cmd, and click OK 3. Type nslookup vpn.secure.gov.mt 4. The following should appear: Name: vpn.secure.gov.mt Address: 217.71.180.126 Connect only to one type of connection. If using a laptop and it is connected via a network cable, make sure that its Wireless Network Card is disabled / switched off. This can be done in different ways, depending on the model. If the above steps do not work, power-cycle the Modem or contact ISP. 7 of 15
02.9 Error: The VPN client agent was unable to create the interprocess communication depot. Cause: Internet Connection Sharing (ICS) is enabled. Solution: Disable Internet Connection Sharing for Windows Vista and Windows 7 by completing the following steps: 1. Open Network Connections by clicking the Start button, clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then clicking Manage Network Connections. 2. Right-click the Shared Network Connection, and then click Properties. If prompted for an administrator password or confirmation, type the password or provide confirmation by clicking Continue. 3. Click the Sharing tab, clear the Allow other network users to connect through this computer's Internet connection check box, and then click OK. 02.10 Symptoms: User connects to VPN using Cisco AnyConnect, however the access to certain services such as File Sharing or specific applications is slow or not permitted. Cause: If connected to a Melita Private connection using a wireless modem (provided by Melita), a number of services / ports are blocked by the firewall on the wireless modem Solution: Contact Melita / modify the Wireless modem settings as follows: o Firewall TAB Disable: IP Flood Detection Disable: Firewall Protection o Advanced TAB Enable: IPSEC pass-through Enable: PPTP pass-through 8 of 15
02.11 Error: Failed to initialize connection subsystem. Cause: The latest Windows Operating System (such as Windows 8.1) is incompatible. Solution: 1. Go to the Start Screen of Windows 8.1 and search for the Cisco AnyConnect Secure Mobility Client icon (or just type it on the Start Screen). 2. Right click the icon and select Open File Location. 9 of 15
3. Right click the Cisco AnyConnect Secure Mobility Client (Shortcut) and select Properties. 4. Click on Compatibility tab 5. Tick Run this program in compatibility mode for: and select Windows 8. 6. Click OK. 7. Restart the workstation and try connecting again. 10 of 15
02.12 Producing a DART (Diagnostic AnyConnect Reporting Tool) Bundle Sometimes certain troubleshooting is more difficult to perform and a DART Bundle will be required, in order to analyse the root cause of the problem, based on the logs recorded from the user s Workstation. The DART Software is automatically installed when a user logs on to MITA VPN for the first time using Cisco AnyConnect. It is important not to interrupt any installations or updates which are triggered automatically by the VPN software. Reference: http://www.cisco.com/en/us/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac12managemonitortbs.ht ml#wp1058628 02.12.1 Running DART on Windows To run the DART wizard and create a DART bundle for Windows, follow these steps (screenshots provided below): 1. Open Cisco AnyConnect and click Advanced. 2. Click the Statistics tab and then click the Diagnostics button at the top of the dialog box. 3. Click Next at the Welcome screen. 4. In the Bundle Creation Options area, select Default. The Default option includes the typical log files and diagnostic information, such as the AnyConnect and Cisco Secure Desktop log files, general information about the computer, and a summary of what DART did and did not do. 5. By clicking Next at the bottom of the dialog box, DART immediately begins creating the bundle. This process might takes a few minutes wait until it finishes. 6. Click Finish after DART finishes creating the bundle. The default name for the bundle is DARTBundle.zip, and by default it is saved to Desktop. 7. The zip file can be sent by email to MITA Service Call Centre or Team for further diagnoses. Step 1 11 of 15
Step 2 Step 3 12 of 15
Steps 4 & 5 Step 6 Zip File created on Desktop 13 of 15
03. Error Details for MITA VPN Portal - WebVPN 03.1 Error: properjavardp error Connection Exeption Wrong Modulus size! Expected64+8got:264 Cause: Java does not support a Remote Desktop connection to 64-bit Operating Systems. ActiveX might be disabled. The user might not have Administrator privileges. Solution: If connected to the VPN portal and trying to connect to a 64-bit Operating System through RDP, ActiveX has to be enabled while Administrative privileges are required during the initial installation. Mozilla Firefox browser probably will not work at all. It is suggested that in this case Internet Explorer is used. 14 of 15
04. Modification History Version Date Author Comments Draft 0.1 01/06/2011 Draft version for internal review Version 1.0 27/09/2012 First version for release Version 1.2 17/02/2015 Updates related to method of Authentication and Compatibility 05. Authorisation Issuing Authority Approval Authority Signature and Date: Signature and Date: Name: Position: Name: Position: Stefan Briffa Networks Manager 15 of 15