cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco Anyconnect VPN - captive portal detection

FIXED
bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Cisco Anyconnect VPN - captive portal detection

Hi all

 

I'm new to PlusNet and trying to connect to my company VPN (via Cisco Anyconnect) for the first time, and am getting an error every time I try and connect - but the people watching things on the company side of things say nothing is getting through so I expect this is being blocked at the router level.

 

The error I get is:

 

"The service provider in your current location is restricting access to the Internet.
You need to log on with the service provider before you can establish a VPN session.
You can try this by visiting any website with your browser."

According to Cisco (https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technot...) this is related to Captive Portal Detection, which apparently relates to free wifi services in airports and such, redirecting you to a login page.  This ties up with what I'm seeing in the system log:

Jul 6 11:58:50 acvpnui[69341]: An SSL VPN connection to 192.168.1.254 has been requested by the user.
Jul 6 11:58:50 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 11:58:50 syslogd[49]: ASL Sender Statistics
Jul 6 11:58:50 acvpnui[69341]: Function: loadProfiles File: ../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Jul 6 11:58:50 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 11:58:50 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 11:58:50 acvpnui[69341]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 2
Jul 6 11:58:50 acvpnui[69341]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1880 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.7551632b7a765730504f486359656f654c704d4367413d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Jul 6 11:58:50 acvpnui[69341]: Message type information sent to the user: Contacting 192.168.1.254.
Jul 6 11:58:50 acvpnui[69341]: Initiating VPN connection to the secure gateway https://192.168.1.254
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 11:58:50 acvpnagent[57]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Jul 6 11:58:50 acvpnagent[57]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 11:58:50 acvpnagent[57]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11573 Received connect notification (host 192.168.1.254, profile N/A)
Jul 6 11:58:50 acvpnagent[57]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4814 The requested VPN connection to 192.168.1.254 is not possible at this time (Captive Portal needs to be remediated).
Jul 6 11:58:50 acvpnui[69341]: Message type warning sent to the user: Connection attempt has failed.
Jul 6 11:58:50 acvpnui[69341]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2647 Content type (unknown) received. Response type (Captive Portal detected) from 192.168.1.254: Captive Portal detected
Jul 6 11:58:50 acvpnui[69341]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5409 Attempt to connect failed when Agent detected a network issue.
Jul 6 11:58:50 acvpnui[69341]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.
Jul 6 11:58:50 acvpnui[69341]: Function: connect File: ../../vpn/Api/ConnectMgr.cpp Line: 2059 ConnectMgr::processIfcData failed
Jul 6 11:58:50 acvpnui[69341]: Function: initiateConnect File: ../../vpn/Api/ConnectMgr.cpp Line: 1185 Connection failed.

 

I can access the internet fine, and if I go the website for the VPN service I can log in fine - I just don't get prompted to log in at all.  This is running on a Mac by the way.  I'm pretty sure I've been able to do this before on this Mac, and definitely on the Mac I had before this on the same VPN client etc.  Work assures me nobody else is having issues.

 

Can anyone help at all please?

Thanks Smiley

Brian

 

11 REPLIES
Plusnet Help Team
Plusnet Help Team
Posts: 1,953
Thanks: 22
Fixes: 5
Registered: ‎24-07-2014

Re: Cisco Anyconnect VPN - captive portal detection

I've checked the firewall on your account and this isn't active. Do you have a local firewall that could be causing the issue? Assuming it's not that, are you able to try with the router that you used with your previous supplier?

If this post resolved your issue please click the 'This fixed my problem' button
 Tony T
 Plusnet Help Team
bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Re: Cisco Anyconnect VPN - captive portal detection

Hi

Thanks for getting back to me Smiley

There is a firewall on the Mac itself but turning this off made no difference - I get the same message.

 

I don't have the previous router I'm afraid.

Thanks,

Brian

 

bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Re: Cisco Anyconnect VPN - captive portal detection

I just noticed (while going through this with work again) that my initial trace was wrong, as it was trying to access the router. This is the actual trace when it tries to connect to the VPN server - sorry for the confusion Sad

 

Jul 6 13:54:59 acvpnui[69341]: An SSL VPN connection to https://81.138.92.XXX has been requested by the user.
Jul 6 13:54:59 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 13:54:59 acvpnui[69341]: Function: loadProfiles File: ../../vpn/Api/ProfileMgr.cpp Line: 100 No profile is available.
Jul 6 13:54:59 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 13:54:59 acvpnui[69341]: Function: getProfileNameFromHost File: ../../vpn/Api/ProfileMgr.cpp Line: 808 No profile available for host 81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Function: getHostInitSettings File: ../../vpn/Api/ProfileMgr.cpp Line: 888 Profile () not found. Using default settings.
Jul 6 13:54:59 acvpnui[69341]: Function: getCertList File: ../../vpn/Api/ApiCert.cpp Line: 339 Number of certificates found: 2
Jul 6 13:54:59 acvpnui[69341]: Function: setConnectionData File: ../../vpn/Api/ConnectMgr.cpp Line: 1880 Certificate retrieved from preferences: Subject Name: CN=com.apple.idms.appleid.prd.7551632b7a765730504f486359656f654c704d4367413d3d Issuer Name : C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority Store : Mac Keychain User
Jul 6 13:54:59 acvpnui[69341]: Message type information sent to the user: Contacting https://81.138.92.XXX.
Jul 6 13:54:59 acvpnui[69341]: Initiating VPN connection to the secure gateway https://81.138.92.XXX
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun0". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: getInterfaces File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 1330 missing PPP destination address for interface "utun1". Check profile PPPExclusion (set to Automatic?) or contact your administrator.
Jul 6 13:54:59 acvpnagent[57]: Function: OnSocketReadComplete File: ../../vpn/Common/IP/DNSRequest.cpp Line: 1201 Invoked Function: CDNSRequest::processResponse Return Code: -29294579 (0xFE41000D) Description: DNSREQUEST_ERROR_NO_SUCH_NAME Failed to resolve [A] query https via DNS server 192.168.1.254
Jul 6 13:54:59 acvpnagent[57]: Function: testDnsAccess File: ../../vpn/Agent/NetEnvironment.cpp Line: 956 Host 81.138.92.XXX could not be resolved to an IPv4 address
Jul 6 13:54:59 acvpnagent[57]: Function: testNetwork File: ../../vpn/Agent/NetEnvironment.cpp Line: 739 Invoked Function: CNetEnvironment::testDnsAccess Return Code: -28966898 (0xFE46000E) Description: NETENVIRONMENT_ERROR_DNS_RESOLUTION_FAILEDCheesyomain name resolution of the host targeted by the network probe has failed
Jul 6 13:54:59 acvpnagent[57]: Function: logProbeFailure File: ../../vpn/Agent/NetEnvironment.cpp Line: 1417 The HTTPS probe to 81.138.92.XXX resulted in a redirect.
Jul 6 13:54:59 acvpnagent[57]: Function: VerifyCertName File: ../../vpn/CommonCrypt/Certificates/VerifyServerName.cpp Line: 150 Certificate name verification has failed. Server Name: 81.138.92.XXX Common Name(s): ciscoasa
Jul 6 13:54:59 acvpnagent[57]: Function: VerifyCertName File: ../../vpn/CommonCrypt/Certificates/OpenSSLCertUtils.cpp Line: 1416 Invoked Function: CVerifyServerName::VerifyCertName Return Code: -31391725 (0xFE210013) Description: CERTIFICATE_ERROR_VERIFY_NAME_FAILED
Jul 6 13:54:59 acvpnagent[57]: Function: analyzeHttpResponse File: ../../vpn/Agent/NetEnvironment.cpp Line: 1586 Invoked Function: CCertHelper::VerifyServerCertificate Return Code: -31391725 (0xFE210013) Description: CERTIFICATE_ERROR_VERIFY_NAME_FAILED server name: 81.138.92.XXX
Jul 6 13:54:59 acvpnagent[57]: Server certificate validation failed with the following errors: Certificate does not match the server name.
Jul 6 13:54:59 acvpnagent[57]: Function: TestAccessToSG File: ../../vpn/Agent/NetEnvironment.cpp Line: 1292 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966897 (0xFE46000F) Description: NETENVIRONMENT_ERROR_CERT_VERIFICATION_FAILED:The server cert verification performed after the HTTPS probe has failed
Jul 6 13:55:00 com.apple.xpc.launchd[1] (com.apple.preference.displays.MirrorDisplays): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Jul 6 13:55:01 acvpnagent[57]: Function: OnOpenRequestComplete File: ../../vpn/Common/IP/HttpProbeAsync.cpp Line: 304 Invoked Function: CHttpSessionAsync::OnOpenRequestComplete Return Code: -31588307 (0xFE1E002D) Description: SOCKETTRANSPORT_ERROR_CONNECT_CANCELED:An asynchronous connection has been canceled during its initiation.
Jul 6 13:55:01 acvpnagent[57]: Function: logProbeFailure File: ../../vpn/Agent/NetEnvironment.cpp Line: 1431 Invoked Function: CHttpProbeAsync::SendProbe Return Code: -27066354 (0xFE63000E) Description: HTTP_PROBE_ASYNC_ERROR_CANNOT_CONNECT HTTP (host: 81.138.92.XXX)
Jul 6 13:55:01 acvpnagent[57]: Function: TestAccessToSG File: ../../vpn/Agent/NetEnvironment.cpp Line: 1384 Invoked Function: CNetEnvironment::analyzeHttpResponse Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target
Jul 6 13:55:01 acvpnagent[57]: Function: testNetwork File: ../../vpn/Agent/NetEnvironment.cpp Line: 777 Invoked Function: CNetEnvironment::IsSGAccessible Return Code: -28966899 (0xFE46000D) Description: NETENVIRONMENT_ERROR_PROBE_INCOMPLETE:Network Probe could not contact target
Jul 6 13:55:01 acvpnagent[57]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 268 Incomplete probe count is 1
Jul 6 13:55:01 acvpnagent[57]: Function: TestNetEnv File: ../../vpn/Agent/NetEnvironment.cpp Line: 370 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
Jul 6 13:55:01 acvpnagent[57]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jul 6 13:55:01 acvpnagent[57]: Function: processConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 11573 Received connect notification (host https://81.138.92.XXX, profile N/A)
Jul 6 13:55:01 acvpnagent[57]: Function: respondToConnectNotification File: ../../vpn/Agent/MainThread.cpp Line: 4814 The requested VPN connection to https://81.138.92.XXX is not possible at this time (Captive Portal needs to be remediated).
Jul 6 13:55:01 acvpnui[69341]: Message type warning sent to the user: Connection attempt has failed.
Jul 6 13:55:01 acvpnui[69341]: Function: processIfcData File: ../../vpn/Api/ConnectMgr.cpp Line: 2647 Content type (unknown) received. Response type (Captive Portal detected) from 81.138.92.XXX: Captive Portal detected
Jul 6 13:55:01 acvpnui[69341]: Function: showConnectError File: ../../vpn/Api/ConnectMgr.cpp Line: 5409 Attempt to connect failed when Agent detected a network issue.
Jul 6 13:55:01 acvpnui[69341]: Message type error sent to the user: The service provider in your current location is restricting access to the Internet. You need to log on with the service provider before you can establish a VPN session. You can try this by visiting any website with your browser.

 

Have spotted some certificate issues which I'll raise with the bods at work - to see if they know what thats about.

Ta

Brian

bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Re: Cisco Anyconnect VPN - captive portal detection

I have tried connecting via a mobile hotspot on my phone and it connects ok from the laptop so it presumably has to be router or network related?  The certificate error doesn't cause the problem.

Superuser
Superuser
Posts: 6,913
Thanks: 964
Fixes: 58
Registered: ‎30-07-2007

Re: Cisco Anyconnect VPN - captive portal detection

Hi and welcome to the forums,

There have  been some issues with certain VPN clients and some PlusNet allocated IP's. From this thread https://community.plus.net/t5/Fibre-Broadband/VPN-IPsec-blocked/m-p/1487743#M67199 Cisco Anyconnect can be one of those giving problems.

@bobpullen could you check if the OP on one of the troublesome IP's please ?

 

Plusnet Help Team
Plusnet Help Team
Posts: 1,953
Thanks: 22
Fixes: 5
Registered: ‎24-07-2014

Re: Cisco Anyconnect VPN - captive portal detection

I've asked one of our network guys to take a look at this for you.

 

Can you please PM us -

- full version of client software

- full IP of end point

 

Also, it might be worth a look at this link.

 

If this post resolved your issue please click the 'This fixed my problem' button
 Tony T
 Plusnet Help Team
bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Re: Cisco Anyconnect VPN - captive portal detection

PM sent as requested.

I have already been through that Cisco documentation - I think its the same thing I quoted in my original message?

Cheers

Brian

 

Plusnet Help Team
Plusnet Help Team
Posts: 1,953
Thanks: 22
Fixes: 5
Registered: ‎24-07-2014

Re: Cisco Anyconnect VPN - captive portal detection

Thanks for the details. I've passed those on to the network team. The guy I was dealing with has gone offline, but I hope to provide an update when I know more.

If this post resolved your issue please click the 'This fixed my problem' button
 Tony T
 Plusnet Help Team
bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Re: Cisco Anyconnect VPN - captive portal detection

Ok thanks Smiley

Moderator
Moderator
Posts: 19,037
Thanks: 2,087
Fixes: 311
Registered: ‎11-01-2008

Re: Cisco Anyconnect VPN - captive portal detection

I use Cisco AnyConnect to connect a company VPN without issue on the hub one so don't think it'd be an issue with the router.

Customer / Moderator / If it helped click the thumb / If it fixed it click 'This fixed my problem'

bmca1234
Newbie
Posts: 7
Fixes: 1
Registered: ‎06-07-2018

Re: Cisco Anyconnect VPN - captive portal detection

Fix

Hi

 

I tried a thunderbolt ethernet adapter plugged directly into the router but the Mac wouldn't pick this up at all until I made some changes in the Network Preferences to delete existing 'Location' entries as recommended here:

https://discussions.apple.com/thread/6603213

 

After this, the VPN client was suddenly able to connect so its seemingly not the router, it was the Mac.

 

Thanks for your help

Brian