Cisco Anyconnect Secure Mobility Client Installation Success Or Error Status 16

Cisco Anyconnect Secure Mobility Client Installation Success Or Error Status 16 6,1/10 8476 votes

Hello, I am running Cisco Any connect secure Mobility Client ( version 3.1.04072). In my production environment, I have a Cisco 5515 firewall and I am running the Multifactor authentication server on a DC behind the firewall. When I run the client and enter my domain credentials, my phone does start to ring in a few seconds. However, before I can click the # key the VPN client already tells me 'the connection attempt has failed'. When I look in the logs, I see the following: Got Response. 2015-11-11T18:05Z 0 2780 7020 pfAuth authenticated = true 2015-11-11T18:05Z i 2780 7020 pfsvc Pfauth succeeded for user 'jdtest' from 71.16.60.51. Call status: SUCCESS_NO_PIN - 'Only # Entered'.

I believe I have my own answer, and that the anyconnect client install failure is urelated to the recent changes on the ASA, but results from cisco revoking the signature on their java applet. Turning the java log/debugger on in the client. Currently, the NAM module on the AnyConnect 3.0 product replaces the Cisco Secure Services Client (CSSC). Refer to Network Access Manager (Replacement for CSSC) for more information. There is no current plan to enable NAM to support MAC OSX platform. Unable to Upgrade Firefox while AnyConnect is Installed on MAC.

2015-11-11T18:01Z 0 2780 324 pfAuth Got Response. 2015-11-11T18:01Z 0 2780 324 pfAuth authenticated = false 2015-11-11T18:01Z i 2780 324 pfsvc Pfauth failed for user 'jdtest' from 71.16.60.51. Call status: FAILED_PHONE_BUSY - 'Auth Already In Progress'. I did some research on 'auth already in progress' and found a link stating: 'Multi-Factor Authentication is already processing an authentication for this user. This is often caused by RADIUS clients that send multiple authentication requests during the same sign on.'

Octane render for cinema 4d r17. Is anybody familiar with this error and what the correct radius configuration for the ASA Firewall should be? Please advise, Thank you for your time.

There are a couple of things you should do: 1. The AnyConnect client has a default timeout of 12 seconds. You will need to update the Authentication Timeout in the AnyConnect client profile to be something longer such as 45-60 seconds.

It sounds like the ASA is sending multiple RADIUS requests to the MFA Server before receiving a response from the first request. Make sure you have configured an appropriate 45-60 second timeout in the ASA's RADIUS settings. Also, you can go into the MFA Management Portal and configure a short cache. 15 seconds should be sufficient.

Cisco ASA should be providing the client IP in attribute 66 of the RADIUS request so you should be OK creating the cache for 'User, Authentication Type, Application Name, IP' which is the most secure. That way, after the MFA for the first request succeeds, the addition requests that have come from the ASA will also receive a successful response due to 'Used cache' instead of a denial to due 'Auth already in progress'. That way, if the ASA is only listening for a response to the last request it sent and no longer listening for a response to the first request, it will get a success and allow the connection to complete. There are a couple of things you should do: 1. The AnyConnect client has a default timeout of 12 seconds. You will need to update the Authentication Timeout in the AnyConnect client profile to be something longer such as 45-60 seconds.