Skip to main content

 

Cisco Meraki Documentation

Cisco Secure Connect -Troubleshooting Remote VPN Access

Issues with Establishing a VPN Connection 

For any issues with VPN connection establishment check logs on the VPN client.

  • Open Secure Client and select Statistics

clipboard_e1fb0615523a7b3e68501446294c9e848.png

Screenshot 2024-07-10 at 7.08.32 PM.png

“Establishing VPN”… and eventually the connection fails 

Likely SSL vpn is getting blocked via an upstream device.  To double check, have the user run DART. Review the log file within the Secure Mobility Client directory for timeout messages after “Establishing VPN” messages. If possible, try an alternate network connection.

clipboard_eb98647ab6b31e71517d290a7361489a2.png

References: Collect DART Bundle for Secure Client

User is not assigned to this application

Picture1.png

• SCIM may not be configured properly. Verify or configure SCIM configuration as described in the documentation.

• Thre may be API key mismatch. To reset API keys between Umbrella and IdP, navigate to Secure Connect > License and API Keys > Umbrella SCIM IdP credentials > Replace API credentials OR Umbrella Dashboard > Admin > API Keys

• User Groups may not be enabled in IdP. Verify IdP configuration.

 

Group membership entitlements

clipboard_ea78ebe7ea8ee684209f6d6ffad1aea27.png

 

clipboard_e0a515f971211beb1e8e22d5c8359c5f3.png

This error means the user is denied access to the VPN. This occurs when the user attempting to connect does not belong to a group that is authorized for remote access. Navigate to Secure Connect > Users and note if Remote Access is turned Off.

 

clipboard_eeab0bc7f6c75abb752679332ee93e22d.png

 

Resolution is to enable user and/or group for remote access. Navigate to Umbrella’s Deployments > Remote Access > Settings > Assign Users & Groups and select users and/or group required to access organization with VPN. 

Screenshot 2024-07-11 at 10.05.22 PM.png

IDP for Organization cannot be found

SAML IDP is not configured for the Umbrella org. Configure a SAML IDP described in the documentation and SAML Configuration Guide.

 

The signed in user is not assigned to a role for the application

Valid user account, but not a user that is authorized for the service. 

  • Check the SAML configuration on the IDP 

  • Check the Identity Provider’s user and group permissions set for the account in question 

 

VPN establishment capability for a remote user is disabled

This error occurs when logged onto a computer remotely using RDP (Remote Desktop). Secure Client  blocks this by default but this can be optionally enabled. Navigate to Secure Connect > Remote Access > Secure Client > VPN establishment for RDP and select Allow Remote Users.

Screenshot 2024-07-08 at 6.16.29 PM.png

I can't access my local network services while I'm connected

This is the case when Local LAN access is not enabled. Verify local LAN is checked for the Secure Client. Navigate to Secure Connect > Remote Access > Traffic Steering. 

Note: This feature is controlled by the headend (Umbrella). See About Traffic Selection for more details.

Screenshot 2024-07-08 at 5.51.00 PM.png``

 

Posture Failure

User is not able to connect using VPN due to compliance failure.

clipboard_e9c3ad1022f3042309b8bca119f4006d7.png

Select Open Browser to find out which compliance is failing.  User or admin must fix all posture requirements for client to connect. More info at Deploy Cisco Secure Client.

clipboard_eae58fc1324cd097e25ce5eb782063069.png

 

Mal-formatted pop up with Internet Explorer

End user sees mal-formatted pop up upon connection attempt.  Prompt for  user authentication is not seen. This occurs when Compatibility Mode is enabled in Internet Explorer. Resolution is to uncheck Display intranet sites in Compatibility View Settings.

Screenshot 2024-07-08 at 6.25.17 PM.png

 

Unable to request IP

Client-error.png

This occurs when the remote access address pool is exhausted.  Increase the address pool size. Navigate to Secure Connect > Remote Access > Regions > Configure Regions and increase the Ip address range pool sizes. Make sure there is no overlapping networks in the organization.

Umbrella is inactive

Screenshot 2024-07-11 at 10.38.33 PM.png

Umbrella is inactive is seen if there is no Roaming Module profile installed. This doesn't affect VPN operations, but will not protect end device while off company network.

To get roaming profile navigate to Secure Connect > Remote Access > Downloads. 

 

Screenshot 2024-07-11 at 10.46.50 PM.png

 

Download required OrgInfo.json file and copy it to following locations:

  • Windows: “%ProgramData%\Cisco\Cisco Secure Client\Umbrella\”
  • MacOs: “/opt/cisco/secureclient/umbrella/”

 

Remote user not able to access local application

By default Cloud Firewall has private rule to deny all traffic. If there is a need for remote user to communicate to other internal company resources, firewall allow rule must be created.

Navigate to Secure Connect > Cloud Firewall and add Private app and network rule to allow remote access users or group to access required company resources.

In below example user group named Doctors is allowed to access all applications from Medical Applications group.

 

Screenshot 2024-07-16 at 9.33.36 PM.png