Troubleshooting Cisco AnyConnect VPN Client connection problem after upgrading to Windows 10

I’ve been putting off upgrading from Windows 7 (I never made the jump to Windows 8) to Windows 10, because I’ve been working on some important projects and I didn’t want to have to troubleshoot anything while I was trying to get my normal work done.  But today, I decided to go ahead and bite the bullet, and upgrade to Windows 10.

One problem I had was the Cisco AnyConnect VPN Client (version 2.5.2014) that I use to remotely connect to one of my customer’s networks was suddenly unable to connect after the upgrade.

When trying to connect, I got an error saying only:  AnyConnect was not able to establish a connection to the specified secure gateway.  Please try connecting again.

Image

In Windows Event Viewer, I also saw several critical errors for the VPN client, the most descriptive of which was:

Function: CVAMgr::~CVAMgr
File: .VAMgr.cpp
Line: 151
Invoked Function: CVAMgr::disable
Return Code: -32964594 (0xFE09000E)
Description: VAMGR_ERROR_CVIRTUALADAPTER_FAILED

Googling the error message and the description from event viewer, I came across these two discussion threads that seem to be talking about the same problem I was having (only for Windows 8).

http://www.eightforums.com/network-sharing/4001-cisco-anyconnect.html

https://social.msdn.microsoft.com/Forums/en-US/6fe817f3-27fe-4068-995a-aced4508ee3e/windows-8-and-cisco-vpn?forum=windowsdeveloperpreviewgeneral

Hoping that the information would also apply to Windows 10, I decided to follow the suggestions.

Using Regedit, and after some investigation, I found that a registry value needed by the Cisco VPN client had become “messed up” somehow (I assume during the Windows 10 upgrade, since the VPN client worked fine yesterday).

The key affected was HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnva\DisplayName

It had a value of:

@oem5.inf,%vpnva_Desc%;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

But should be just this instead (removing the preceeding @oem5.inf,%vpnva_Desc%;)…

Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64

Image

So now, I tried to connect again using the Cisco VPN client, but I STILL WAS UNABLE TO CONNECT!

The error message shown was the same, but I checked Event Viewer, and this time, I saw some different error messages being logged (URLs removed)

Function: CManifestMgr::GetFile
File: .ManifestMgr.cpp
Line: 461
Invoked Function: CFileDownloader::DoDownload
Return Code: -16842742 (0xFEFF000A)
Description: unknown
Failed to download from https://XXXXXXXXXXXXXX/CACHE/stc/1/VPNManifest.xml to C:UsersbpursleyAppDataLocalTemp32584.tmpVPNManifest.xml

Function: CManifest::GetManifest
File: .Manifest.cpp
Line: 245
Invoked Function: CManifest::GetManifest
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Failed to get manifest from https://XXXXXXXXXXXXXX/CACHE/stc/1/VPNManifest.xml

Function: CManifestMgr::ProcessManifests
File: .ManifestMgr.cpp
Line: 672
Invoked Function: GetManifest
Return Code: 0 (0x00000000)
Description: Failed to get main manifest

Function: ConnectMgr::launchCachedDownloader
File: .ConnectMgr.cpp
Line: 5234
Invoked Function: ConnectMgr :: launchCachedDownloader
Return Code: 1 (0x00000001)
Description: Cached Downloader terminated abnormally

Function: ConnectMgr::processIfcData
File: .ConnectMgr.cpp
Line: 2164
Invoked Function: ConnectMgr::initiateTunnel
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED

Function: CTransportWinInet::SendRequest
File: .CTransportWinInet.cpp
Line: 1011
Invoked Function: HttpSendRequest
Return Code: 12045 (0x00002F0D)
Description: The certificate authority is invalid or incorrect

Aha!  Now it is telling me there is a certificate problem.

So my next step was to browse to the URL from the log where it said it failed to download the file from (remember, I removed the address from the URL)…

https://XXXXXXXXXXXXXX/CACHE/stc/1/VPNManifest.xml

This showed me that there indeed was a problem with the server’s certificate.  I’m guessing it was a self-signed certificate or something like that.

Again, this is not my server and I don’t control the VPN configuration, but have been connecting to it for a couple of years and know the company who owns this server and trust the identity of this server.  So my next step was to configure my computer to trust this server’s certificate.  Here is how I did that.

Using Chrome (you should be able to do this with other browsers, though), I browsed to the URL, right-clicked on the lock icon to the left of the https in Chrome’s URL bar, clicked on the “Certificate information” hyperlink, and switched to the Details tab.

Image

From there, I clicked the Copy to File button and saved the certificate as type “DER Encoded Binary X.509 (*.cer)”.  It doesn’t matter what name you give it, just save it somewhere you can find it later, because we’re going to use that file in the following steps.  I just gave mine a name of MyCert.cer.

Image

Next, I ran certmgr (Windows+R and run certmgr.msc) and drilled down into Trusted Root Certificate Authorities and then into Certificates…

Image

I right-clicked on Certificates and chose All Tasks, and then Import, which brought up the Certificate Import Wizard.  Here, I chose the certificate file I saved earlier and clicked Next.

Image

On the next page, I just left it set to Trusted Root Certificate Authorities, clicked Next again, and then clicked Finish.

Image

After clicking Finish, I got a security warning saying Windows cannot validate that the certificate is actually from the server it claims to be from, and it asked me to confirm whether I wanted to install this certificate.  I chose Yes, and it installed the certificate.

Image

I opened up the Cisco AnyConnect VPN Client and tried to connect again.  This time it was successful!

Hopefully this will help someone else who might be dealing with problems using the Cisco AnyConnect VPN Client after upgrading to Windows 10.

8 Comments

  • Alex says:

    Thank you for your post! It worked for me with cisco client v2.4 and Windows 10 x64. Editing registry was ehough in my case.

  • bpursley says:

    You’re welcome, Alex. Glad I was able to help.

  • Peter says:

    After hours or research, I was able to run AnyConnect on my machine. Yesterday, new update was installed and I am stuck again – for the 3rd time ;( unfortunately, neither installation of certificate nor compatibility mode did not work for me

  • Armand Amin says:

    Did all this,

    now i get, the host name in the certificate is invalid or does not match. any insight?

  • David Reta says:

    forgot I did this the first time around to get ver 2.5 to work originally then had to reinstall Windows10 4 months later and forgot I even did this. Thanks for posting. working now. 🙂

  • Tom says:

    Not trying to be that guy, but why not uninstall and reinstall Cisco VPN client after your windows 10 upgrade? It would clear registry and recreate those problem keys if I am not mistaken. It would also reinstall the driver for the VPN client fresh for windows 10 to use rather than the old one stale from windows 7. Just asking cause literally any time in our place there is a VPN connection issue (with the cisco client) it is unistall and re-install and still hasnt given problems even after win 10 upgrades. Maybe I just get lucky lol

  • Faisal says:

    This worked for me
    Open Chrome and browse to a website (anyconnect web address)

    Right-clicked on the lock icon to the left of the https in Chrome’s URL bar

    Close the window that appears

    scroll down to bottom till you see

    Reset settings

    Restore settings to their original defaults

    Will warn about about reset

    ok to

    Restart your connect and bang it worked for me

1 Trackback

Leave a Reply

Your email address will not be published. Required fields are marked *