Cisco Secure Connect -Troubleshooting Remote VPN Access
Issues with Establishing a VPN Connection
For any issues with VPN connection establishment check logs on the VPN client.
-
Open Secure Client and select Statistics
- Navigate to Message History tab and review logs. Reference: Troubleshooting Secure Connect
“Establishing VPN”… and eventually the connection fails
Likely SSL vpn is getting blocked via an upstream device. To double check, have the user run DART. Review the log file within the Secure Mobility Client directory for timeout messages after “Establishing VPN” messages. If possible, try an alternate network connection.
References: Collect DART Bundle for Secure Client
User is not assigned to this application
• SCIM may not be configured properly. Verify or configure SCIM configuration as described in the documentation.
• Thre may be API key mismatch. To reset API keys between Umbrella and IdP, navigate to Secure Connect > License and API Keys > Umbrella SCIM IdP credentials > Replace API credentials OR Umbrella Dashboard > Admin > API Keys.
• User Groups may not be enabled in IdP. Verify IdP configuration.
Group membership entitlements
This error means the user is denied access to the VPN. This occurs when the user attempting to connect does not belong to a group that is authorized for remote access. Navigate to Secure Connect > Users and note if Remote Access is turned Off.
Resolution is to enable user and/or group for remote access. Navigate to Umbrella’s Deployments > Remote Access > Settings > Assign Users & Groups and select users and/or group required to access organization with VPN.
IDP for Organization cannot be found
SAML IDP is not configured for the Umbrella org. Configure a SAML IDP described in the documentation and SAML Configuration Guide.
The signed in user is not assigned to a role for the application
Valid user account, but not a user that is authorized for the service.
-
Check the SAML configuration on the IDP
-
Check the Identity Provider’s user and group permissions set for the account in question
VPN establishment capability for a remote user is disabled
This error occurs when logged onto a computer remotely using RDP (Remote Desktop). Secure Client blocks this by default but this can be optionally enabled. Navigate to Secure Connect > Remote Access > Secure Client > VPN establishment for RDP and select Allow Remote Users.
I can't access my local network services while I'm connected
This is the case when Local LAN access is not enabled. Verify local LAN is checked for the Secure Client. Navigate to Secure Connect > Remote Access > Traffic Steering.
Note: This feature is controlled by the headend (Umbrella). See About Traffic Selection for more details.
``
Posture Failure
User is not able to connect using VPN due to compliance failure.
Select Open Browser to find out which compliance is failing. User or admin must fix all posture requirements for client to connect. More info at Deploy Cisco Secure Client.
Mal-formatted pop up with Internet Explorer
End user sees mal-formatted pop up upon connection attempt. Prompt for user authentication is not seen. This occurs when Compatibility Mode is enabled in Internet Explorer. Resolution is to uncheck Display intranet sites in Compatibility View Settings.
Unable to request IP
This occurs when the remote access address pool is exhausted. Increase the address pool size. Navigate to Secure Connect > Remote Access > Regions > Configure Regions and increase the Ip address range pool sizes. Make sure there is no overlapping networks in the organization.
Umbrella is inactive
Umbrella is inactive is seen if there is no Roaming Module profile installed. This doesn't affect VPN operations, but will not protect end device while off company network.
To get roaming profile navigate to Secure Connect > Remote Access > Downloads.
Download required OrgInfo.json file and copy it to following locations:
- Windows: “%ProgramData%\Cisco\Cisco Secure Client\Umbrella\”
- MacOs: “/opt/cisco/secureclient/umbrella/”
Remote user not able to access local application
By default Cloud Firewall has private rule to deny all traffic. If there is a need for remote user to communicate to other internal company resources, firewall allow rule must be created.
Navigate to Secure Connect > Cloud Firewall and add Private app and network rule to allow remote access users or group to access required company resources.
In below example user group named Doctors is allowed to access all applications from Medical Applications group.