- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-25-2021 03:19 AM
When logging into Cisco AnyConnect VPN, the prompt: Login denied. Your environment does not meet the access criteria defined by your administrator.
After trying various methods, it cannot be solved:
Then we have uninstalled the Traps - 7.2.2 from the machine, the SSL-VPN started to work.
I mean the Traps Uninstall made the VPN works
09-05-2021 06:37 AM - edited 09-05-2021 06:37 AM
thank you for post and sorry to hear you are facing this issue.
As per the official Cisco Release Note, there is no known compatibility issue between AnyConnect and Traps: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect49/administration/gui... however, Cisco recommends to exclude the below folders from any 3rd party security product:
C:\Users\<user>\AppData\Local\Cisco
C:\ProgramData\Cisco
C:\Program Files (x86)\Cisco
In the case you are using Hostscan module for posture check, please exclude also below processes:
cscan.exe
ciscod.exe
cstub.exe
Here is the official guide: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/rel...
Could you please try to apply application whitelist for the above folders and processes in Traps? In the case it does not resolve the issue, I would recommend to collect more logs to understand root cause of this issue.
Could you please collect DART bundle from affected machine? Here is the manual how to collect DART: https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p...
Once the DART bundle is generated, you will find the DART bundle on desktop. Please extract it and navigate to Folder: "Cisco AnyConnect Secure Mobility Client" and open: "AnyConnect.txt". In this file you will see all AnyConnect client logs including the error you reported. Please look for any log entries before this error was generated.
If DART does not provide any clue, I would recommend to collect logs from your VPN HeadEnd. If you are using ASA, the please run below debugs while the client having issue tries to connect:
debug ldap 255
debug webvpn anyconnect 255
debug dap trace 255
The above debug commands provide a lot of output. In the case there are several users connecting at the same time, the output might be hard to read, therefore I recommend to log the session to text file and ideally run it outside of the peak hours when less users are connecting. After you complete the log collection, please issue: "u all" to cancel all debugs.
If both DART nor debugs on VPN HeadEnd side do not provide enough information to understand what exactly Traps is doing to cause this issue, please let me know. There are still a few more things left to drill down into this issue.
I hope this helps and good luck!
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!