Services/VPN

From popdata
Jump to: navigation, search

Temporary page Services/VPN_doc_planning_tmp to plan various VPN doc pages.

VPN Installation

Cisco AnyConnect

A successful login to https://access.popdata.bc.ca will offer to download the Cisco AnyConnect VPN client version 2.3.2016 (as of 2011-03-23). Subsequent connections to any Cisco VPN server will automatically download an update if that VPN server has a newer version.

myvpn.ubc.ca offers version 2.4.102 or newer, which is compatible with access.popdata.bc.ca.

It is inconvenient that AnyConnect only remembers the most recently used VPN server, requiring you to type in the server name when you want to change: either access.popdata.bc.ca or myvpn.ubc.ca

See also Software-user-maintenance#Cisco_AnyConnect_VPN_client_software

One user asked about enabling a machine connected via RDC to initiate a VPN session. https://supportforums.cisco.com/thread/2128163 says to edit "AnyConnectProfile.xml" (if missing, copy first from "AnyConnectProfile.tmpl" in "c:\documents and settings\all users\application data\cisco\cisco anyconnect vpn client\profile". Change setting for WindowsVPNEstablishment from LocalUsersOnly to AllowRemoteUsers. On Mac, directory /opt/cisco/vpn/profile/ .

Cisco Anyconnect downloads

Cisco AnyConnect release notes

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html Windows Versions • Windows Vista—32- and 64-bit Microsoft Windows Vista SP2 or Vista Service Pack 1 with KB952876. • Windows XP SP2 and SP3. • Windows 2000 SP4.


http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html says: Windows Versions • Windows 7 (32-bit and 64-bit) AnyConnect requires a clean install if you upgrade from Windows XP to Windows 7. If you upgrade from Windows Vista to Windows 7, manually uninstall AnyConnect first, then after the upgrade, reinstall it manually or by establishing a web-based connection to a security appliance configured to install it. Uninstalling before the upgrade and reinstalling AnyConnect afterwards is necessary because the upgrade does not preserve the Cisco AnyConnect Virtual Adapter. • Windows Vista (32-bit and 64-bit)—SP2 or Vista Service Pack 1 with KB952876. AnyConnect requires a clean install if you upgrade from Windows XP to Windows Vista. • Windows XP SP2 and SP3. it also says that, separately from OS, the browser matters: 64-bit Internet Explorer Not Supported AnyConnect installation via WebLaunch does not support 64-bit versions of Internet Explorer. Please instruct users of x64 (64-bit) Windows versions supported by AnyConnect to use the 32-bit version of Internet Explorer or Firefox to install WebLaunch. (At this time, Firefox is available only in a 32-bit version.)

AnyConnect and Windows 8

  • Tony Wan about myVPN.ubc.ca and AnyConnect on Windows 8:
    • “AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.”
    • Cisco support tells people to use v3.0MR8 or 3.1 of the client (plus some kind of workaround), but UBC’s default installation client is 2.5.3054.
  • Mike Ward wrote to SNAG 2012-10-30: I found a workaround that worked for the AnyConnect client: http://msitpros.com/?p=1204

Download instructions: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998351 (requires Cisco account and service contract)

PopData download: https://download.popdata.bc.ca/anyconnect-win-3.1.01065-pre-deploy-k9.msi (beta version 2013-01)

AnyConnect and MacOsX 10.13 "Mountain Lion" and 10.14 "Mojave"

  • Anyconnect 4.5 (2018) triggers in MacOs 10.14 "Mojave" the message "Cisco AnyConnect Secure Mobility Client.app" is not optimized for your Mac and needs to be updated."
  • support.apple.com says 32-bit app can still run without problem for now (probably till next major Macos rrelease in 2019).
  • Need to get a newer version of AnyConnect installer.

VPN Troubleshooting

AnyConnect troubleshooting

Connecting from PopData

Instead of "access.popdata.bc.ca", connect to local gateway. Ex: gw-phloClnt.popdata.bc.ca

VPN log troubleshooting

Distinguish between AnyConnect and Browser connections:

  • /var/lib/vpn/user-logins.txt : one line per successful connection. Look for "Browser" instead of internal IP.
  • /var/lib/vpn/vpn-session-logs/YYYY/YYYY-MM-DD : raw firewall log, filtered on known VPN event codes.
    • Look for "Connection Clientless" or "Connection Anyconnect".
    • look for "Disconnected" for username, IP, Duration, Bytes, Reason.
    • On cabot, cd /var/lib/vpn/vpn-session-logs/2013 ; egrep "USERNAME.*(Connection|disconnected)" YYYY-MM-DD
  • 2017-12-05 nrazaz has trouble logging in to Access.popdata.bc.ca with AnyConnect. See OTRS #2017120510000034
    • Nothing appears in /var/lib/vpn/* , but many zero-second TCP connections in pd-fw log.
      Dec 5 20:07:17 pd-fw %ASA-6-302014: Teardown TCP connection 1117025914 for outside:50.92.189.18/61409 to identity:137.82.131.69/443 duration 0:00:00 bytes 9964 TCP FINs
Incompatibility McAfee / AnyConnect

Incompatibility with "McAfee SecurityCenter" ("Shaw Secure" https://community.shaw.ca/docs/DOC-1077) for Amanda in 2011(?), fixed by turning off McAfee (I think permanently). Presumably the security add-on notices AnyConnect making system changes (such as routing and DNS) and shuts it down. Obviously turning off security is not a good idea.

Symptom: vpn-session-logs (see above for egrep) shows duration of a few seconds and "Reason: User Requested".

https://supportforums.cisco.com/thread/2026601

  • [...] user resolved the issue by unchecking the "Use Access Protection" (see below) box and disabling the real-time scanner for the first connection attempt.

https://community.mcafee.com/thread/36611

  • [...] I uninstalled the Cisco VPN client, then uninstalled McAfee, then reinstalled the VPN client, then reinstalled McAfee

http://www.cisco.com/image/gif/paws/100597/anyconnect-vpn-troubleshooting.pdf

  • In order to resolve this issue, disable all the features of the personal firewall/AV. Then, make a small change on the AnyConnect virtual adapter and try to re−connect the AnyConnect. For more information, refer to Cisco bug IDs CSCsj91840 (registered customers only) and CSCti16453 (registered customers only).

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac08managemonitortbs.html

  • Nothing useful, may be generally interesting
Re-install sometimes fixes zero-second connection problem

A customer who suffered from connections that sere successful but closed in less than a second said "Yahoo! I uninstalled and reinstalled and was able to connect this morning. A Norton icon came up to say the site was safe and I don't think that icon came up when I first installed. https://otrs.popdata.bc.ca/index.pl?Action=AgentTicketZoom;TicketID=1779#7306

  • On the other hand, in the case of Sadra marquis the success lasted only for a single session.
  • Removing Norton "360" completely did not help immediately, re-install of AnyConnect stopped with error "VPN client agent was unable to create the interprocess communication depot". Second re-install was successful and so far gave 1 connection.
  • That error message appears at http://its.uiowa.edu/support/article/3723 with the advice: "Clear the Allow other network users to connect through this computer’s Internet connection checkbox "
Windows "VPN client driver encountered an error"
Windows troubleshooting
  • Docs from Cisco: at www.cisco.com, search for "Anyconnect Troubleshooting log file"
  • http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac12managemonitortbs.html
    • Original install and boot-time start: look for setupapi*.log in \Windows or \Windows\inf
    • If this is an initial web deployment install, the log file is located in the per-user temp directory: %TEMP%\anyconnect-win-2.X.xxxx-k9-install-yyyyyyyyyyyyyy.log. If an upgrade was pushed from the optimal gateway, the log file is in the following location: %WINDIR%\TEMP\anyconnect-win-2.X.xxxx-k9-install-yyyyyyyyyyyyyy.log
    • On the client PC, get the Cisco AnyConnect VPN client log from the Windows Event Viewer.
      • Choose Start > Search ("Run" in Windows XP) and type in: eventvwr.msc
      • In "Event Viewer" application's left sidebar, click to expand "Application and Service Logs" then select "Cisco AnyConnect..." (Windows Vista and Win7)
      • Optionally restrict to a recent time range: on right sidebar click "Filter Current Log"; change the "Logged:" entry from "Anytime" (which might go back months) to a more reasonable relevant range such as "Last 24 hours". On the other hand we can cope with a large file if you don't restrict by date.
      • Choose "Save Log File As..."; select type "Text (tab delimited)"; choose a folder such as "My Documents"; type in a file name such as "Marquis-anyconnect-2013-10-31"
    • A better way to collect logs from client windows machines is DART (Cisco AnyConnect Diagnostic and Reporting Tool) from Cisco
      • http://download.popdata.bc.ca/anyconnect-dart-win-3.1.04072-k9.msi ; install
      • The DART wizard runs on the computer that runs AnyConnect Client. DART assembles the logs, status, and diagnostic information for Cisco Technical Assistance Center (TAC) analysis. DART does not require administrator privileges.
      • Menu START=>All Programs=>Cisco=>Cisco Anyconnect Secure Mobility Client=>Cisco AnyConnect Diagnostics ... ; agree to terms; select "Default" for location of "bundle" (archive of log reports: DARTBundle_MMDD_HHMM.zip ; about 3 minutes, 4MB); when done, it offers to email the bundle.
      • Note that DART produces a report of all applications and drivers on the system, a list of currently running processes.
  • 2017-01 Trying to install AnyConnect on Windows 7, user got "There is a problem with this Windows Installer A program run as part of the setup did not finish as expected.". Fix was to re-install Windows 7. package.Ticket#2017012510000044.

Logs

  • daily VPN logs on Cabot: full at /home/logs/YYYY-MM-DD/pd-fw/local4 (500M/day; relevant extract at /var/lib/vpn/vpn-session-logs/YYYY/YYYY-MM-DD
  • see Services/yubikey for RADIUS logs on Cabot, especially for failed logins. VPN yubikey logins authenticate via RADIUS service on Champlain, which in turn uses LDAP.
    2017-12-12 November 6 system update on Champlain made "loginShell" required for RADIUS authentication - missing on account "nrazaz" created 2008.

Network Reconnection

  • Sometimes AnyConnect detects that a network connection broke for a while then repaired itself.
    • The original session says
      •  %ASA-5-722033: Group <GroupPolicy_srtl-vpn> User <hchen14> IP <142.36.203.188> First TCP SVC connection established for SVC session.
      •  %ASA-6-722022: Group <GroupPolicy_srtl-vpn> User <hchen14> IP <142.36.203.188> TCP SVC connection established without compression
      •  %ASA-4-722051: Group <GroupPolicy_srtl-vpn> User <hchen14> IP <142.36.203.188> IPv4 Address <10.80.19.123> IPv6 address <::> assigned to session
    • For reconnections, only the last 2 of these lines are logged. The user at the client end might see a fleeting AnyCponnect pop-up saying something like "reconnecting, re-authentication not required"

Log interpretation

  • [AnyConnect group=sre-yubi success]
     %ASA-6-113004: AAA user authentication Successful : server = 10.80.20.80 : user = dlaplante
     %ASA-6-113004: AAA user authorization Successful : server = 10.80.20.80 : user = dlaplante
     %ASA-6-113009: AAA retrieved default group policy (sre-vpn-tunnel) for user = dlaplante
  • [AnyConnect group=sreyubi YubiKey missing in PDS OR wrong password OR YubiKey not tapped]
     %ASA-6-113005: AAA user authentication Rejected : reason = AAA failure : server = 10.80.20.80 : user = *****

See also Services/yubikey

Profile Options

Block reconnecting from different IP

  • The default is to allow reconnection within idle / disconnected timeout , even after many hours and from a different IP address (ex: different country).
    • Apparently no option to forbid change of IP, but at least can disconnect permanently on sleep.
  • Cisco Anyconnect .. Client Administrator Guide]
  • Look up AutoReconnect
    • DisconnectOnSuspend
    • ReconnectAfterResume (Default)

Country Restriction

scanvpn.pl and loginv3.pl

  • Enforcement of country restriction are based on:
    1. scanvpn.pl notifies PDS Software-sys-maintenance#PDS_tracking_of_VPN_addresses_and_country
    2. loginv3.py just after login disconnects based on report by PDS of country. A list of exceptions specify allowed combinations of login and country.
    • check-sre-vpn-foreign-hourly.py (cron on cabot) parses /var/lib/vpn/user-logins.txt , with list of exceptions by user, and emails it@popdata...

The entries below are suspected of being obsolete

Installing the Linux VPN Client

  • Unpack the vpnclient and compile. You will need the configured kernel source for the running kernel.
tar xvf vpnclient-linux-x86_64-4.8.00.0490-k9.tar.gz
cd vpnclient
./vpn_install
  • Configure the client. cp /etc/opt/cisco-vpnclient/Profiles/sample.pcf /etc/opt/cisco-vpnclient/Profiles/phlo.pcf
  • Edit the phlo.pcf file to look something like this, replacing LOGIN-NAME and THE-SHARED-SECRET with the appropriate values.
Host=137.82.131.69
AuthType=1
GroupName=admin-tunnel
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=LOGIN-NAME
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
UserPassword=
enc_UserPassword=
GroupPwd=THE-SHARED-SECRET
enc_GroupPwd=
ISPPhonebook=
NTDomain=
EnableMSLogon=1
MSLogonType=0
TunnelingMode=0
TcpTunnelingPort=10000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0
  • start the vpn daemon: /etc/init.d/vpnclient_init
  • connect to the vpn: vpnclient connect phlo

Installing the Windows VPN Client

  • double click on the vpnclient package 5.0.00.0340-IS.exe and unpack it.
  • run the installer (it unpacks to two files, a README and vpnclient-win-is-5.0.00.0340-k9.exe, double click on that file to unpack the rest, the installation begins automatically)
  • accept all the defaults for the installer
  • allow your computer to restart
  • start the vpnclient
  • click on New icon
  • Fill in the fields:
    • Connection Entry: IMU
    • Description: Super Good IMU VPN
    • Host: 137.82.131.69
    • Group Authentication
    • Name: phlo-imu-tunnel
    • Password: PHLO_was_here (this is not really a password, more like a shared key)
    • Confirm Password: PHLO_was_here
    • Save
  • double click on the new connection
  • enter your name
  • and securid (PIN + 6 digits) for password