Cisco Anyconnect VPN - captive portal detection
FIXED
Hi all
I'm new to PlusNet and trying to connect to my company VPN (via Cisco Anyconnect) for the first time, and am getting an error every time I try and connect - but the people watching things on the company side of things say nothing is getting through so I expect this is being blocked at the router level.
The error I get is:
"The service provider in your current location is restricting access to the Internet.
You need to log on with the service provider before you can establish a VPN session.
You can try this by visiting any website with your browser."
According to Cisco (https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technot...) this is related to Captive Portal Detection, which apparently relates to free wifi services in airports and such, redirecting you to a login page. This ties up with what I'm seeing in the system log:
Jul 6 11:58:50 acvpnui[69341]: An SSL VPN connection to 192.168.1.254 has been requested by the user.
Jul 6 11:58:50 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 11:58:50 syslogd[49]: ASL Sender Statistics
Jul 6 11:58:50 acvpnui[69341]: Function: loadProfiles File: ../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Jul 6 11:58:50 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 11:58:50 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 11:58:50 acvpnui[69341]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 2
Jul 6 11:58:50 acvpnui[69341]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1880 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.7551632b7a765730504f486359656f654c704d4367413d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Jul 6 11:58:50 acvpnui[69341]: Message type information sent to the user: Contacting 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Initiating VPN connection to the secure gateway https://192.168.1.254
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Jul 6 11:58:50 acvpnagent[57]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 11:58:50 acvpnagent[57]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11573 Received connect notification (host 192.168.1.254, profile N/A)
Jul 6 11:58:50 acvpnagent[57]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4814 The requested VPN connection to 192.168.1.254 is not possible at this time (Captive Portal needs to be remediated).
Jul 6 11:58:50 acvpnui[69341]: Message type warning sent to the user: Connection attempt has failed.
Jul 6 11:58:50 acvpnui[69341]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2647 Content type (unknown) received. Response type (Captive Portal detected) from 192.168.1.254: Captive Portal detected
Jul 6 11:58:50 acvpnui[69341]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5409 Attempt to connect failed when Agent detected a network issue.
Jul 6 11:58:50 acvpnui[69341]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Jul 6 11:58:50 acvpnui[69341]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2059 ConnectMgr::processIfcData failed
Jul 6 11:58:50 acvpnui[69341]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1185 Connection failed.
I can access the internet fine, and if I go the website for the VPN service I can log in fine - I just don't get prompted to log in at all. This is running on a Mac by the way. I'm pretty sure I've been able to do this before on this Mac, and definitely on the Mac I had before this on the same VPN client etc. Work assures me nobody else is having issues.
Can anyone help at all please?
Thanks 
Brian
I've checked the firewall on your account and this isn't active. Do you have a local firewall that could be causing the issue? Assuming it's not that, are you able to try with the router that you used with your previous supplier?
Hi
Thanks for getting back to me
There is a firewall on the Mac itself but turning this off made no difference - I get the same message.
I don't have the previous router I'm afraid.
Thanks,
Brian
I just noticed (while going through this with work again) that my initial trace was wrong, as it was trying to access the router. This is the actual trace when it tries to connect to the VPN server - sorry for the confusion 
Jul 6 13:54:59 acvpnui[69341]: An SSL VPN connection to https://81.138.92.XXX has been requested by the user.
Jul 6 13:54:59 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 13:54:59 acvpnui[69341]: Function: loadProfiles File: ../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Jul 6 13:54:59 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 13:54:59 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 13:54:59 acvpnui[69341]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 2
Jul 6 13:54:59 acvpnui[69341]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1880 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.7551632b7a765730504f486359656f654c704d4367413d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Jul 6 13:54:59 acvpnui[69341]: Message type information sent to the user: Contacting https://81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Initiating VPN connection to the secure gateway https://81.138.92.XXX
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: OnSocketReadComplete File: ../../vpn/Common/IP/DNSRequest.cpp Line: 1201 Invoked Function: CDNSRequest::processResponse Return Code: -29294579 (0xFE41000D) Description: DNSREQUEST_ERROR_NO_SUCH_NAME Failed to resolve [A] query https via DNS server 192.168.1.254
Jul 6 13:54:59 acvpnagent[57]: Function: testDnsAccess File: ../../vpn/Agent/NetEnvironment.cpp Line: 956 Host 81.138.92.XXX could not be resolved to an IPv4 address
Jul 6 13:54:59 acvpnagent[57]: Function: testNetwork File: ../../vpn/Agent/NetEnvironment.cpp Line: 739 Invoked Function: CNetEnvironment::testDnsAccess Return Code: -28966898 (0xFE46000E) Description: NETENVIRONMENT_ERROR_DNS_RESOLUTION_FAILED:Domain name resolution of the host targeted by the network probe has failed
Jul 6 13:54:59 acvpnagent[57]: Function: logProbeFailure File: ../../vpn/Agent/NetEnvironment.cpp Line: 1417 The HTTPS probe to 81.138.92.XXX resulted in a redirect.
Jul 6 13:54:59 acvpnagent[57]: Function: VerifyCertName File: ../../vpn/CommonCrypt/Certificates/VerifyServerName.cpp Line: 150 Certificate name verification has failed. Server Name: 81.138.92.XXX Common Name(s): ciscoasa
Jul 6 13:54:59 acvpnagent[57]: Function: VerifyCertName File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1416 Invoked Function: CVerifyServerName::VerifyCertName Return Code: -31391725 (0xFE210013) Description: CERTIFICATE_ERROR_VERIFY_NAME_FAILED
Jul 6 13:54:59 acvpnagent[57]: Function: analyzeHttpResponse File: ../../vpn/Agent/NetEnvironment.cpp Line: 1586 Invoked Function: CCertHelper::VerifyServerCertificate Return Code: -31391725 (0xFE210013) Description: CERTIFICATE_ERROR_VERIFY_NAME_FAILED server name: 81.138.92.XXX
Jul 6 13:54:59 acvpnagent[57]: Server certificate validation failed with the following errors: Certificate does not match the server name.
Jul 6 13:54:59 acvpnagent[57]: Function: TestAccessToSG File: ../../vpn/Agent/NetEnvironment.cpp Line: 1292 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966897 (0xFE46000F) Description: NETENVIRONMENT_ERROR_CERT_VERIFICATION_FAILED:The server cert verification performed after the HTTPS probe has failed
Jul 6 13:55:00 com.apple.xpc.launchd[1] (com.apple.preference.displays.MirrorDisplays): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Jul 6 13:55:01 acvpnagent[57]: Function: OnOpenRequestComplete File: ../../vpn/Common/IP/HttpProbeAsync.cpp Line: 304 Invoked Function: CHttpSessionAsync::OnOpenRequestComplete Return Code: -31588307 (0xFE1E002D) Description: SOCKETTRANSPORT_ERROR_CONNECT_CANCELED:An asynchronous connection has been canceled during its initiation.
Jul 6 13:55:01 acvpnagent[57]: Function: logProbeFailure File: ../../vpn/Agent/NetEnvironment.cpp Line: 1431 Invoked Function: CHttpProbeAsync::SendProbe Return Code: -27066354 (0xFE63000E) Description: HTTP_PROBE_ASYNC_ERROR_CANNOT_CONNECT HTTP (host: 81.138.92.XXX)
Jul 6 13:55:01 acvpnagent[57]: Function: TestAccessToSG File: ../../vpn/Agent/NetEnvironment.cpp Line: 1384 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target
Jul 6 13:55:01 acvpnagent[57]: Function: testNetwork File: ../../vpn/Agent/NetEnvironment.cpp Line: 777 Invoked Function: CNetEnvironment::IsSGAccessible Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target
Jul 6 13:55:01 acvpnagent[57]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 268 Incomplete probe count is 1
Jul 6 13:55:01 acvpnagent[57]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Jul 6 13:55:01 acvpnagent[57]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 13:55:01 acvpnagent[57]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11573 Received connect notification (host https://81.138.92.XXX, profile N/A)
Jul 6 13:55:01 acvpnagent[57]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4814 The requested VPN connection to https://81.138.92.XXX is not possible at this time (Captive Portal needs to be remediated).
Jul 6 13:55:01 acvpnui[69341]: Message type warning sent to the user: Connection attempt has failed.
Jul 6 13:55:01 acvpnui[69341]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2647 Content type (unknown) received. Response type (Captive Portal detected) from 81.138.92.XXX: Captive Portal detected
Jul 6 13:55:01 acvpnui[69341]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5409 Attempt to connect failed when Agent detected a network issue.
Jul 6 13:55:01 acvpnui[69341]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Have spotted some certificate issues which I'll raise with the bods at work - to see if they know what thats about.
Ta
Brian
I've asked one of our network guys to take a look at this for you.
Can you please PM us -
- full version of client software
- full IP of end point
Also, it might be worth a look at this link.
Thanks for the details. I've passed those on to the network team. The guy I was dealing with has gone offline, but I hope to provide an update when I know more.
Ok thanks
