Mar 31, 2020 What should be done when an attempt to connect to VPN using Cisco AnyConnect generates this message: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again. In the Windows Control Panel navigate to Internet options (Network and Internet Connections, and then Internet Options). A new connection attempt to the same or another secure gateway is needed, which requires re-authentication. The following message was received from the secure gateway: No assigned address' Upon troubleshooting I found even though I configured the correct Connection Profile for SSL VPN, the incoming connection was taking the DefaultWEBVPNGroup.

Cisco VPN Client fix for Windows 8 Problem case: While trying to connect to a VPN you meet the following error message: 'Secure VPN Connection terminated locally by the Client' 'Reason 442: failed. AnyConnect fails with the message 'AnyConnect was not able to establish a connection to the specified secure gateway. Please try connection again '. If you are using the Kaspersky AV firewall you need to add AnyConnect as a firewall exception. It might be more useful to use the free anti-virus software provided by the HRZ. Enable Optimal Gateway Selection (OGS), (IPv4 clients only)— AnyConnect identifies and selects which secure gateway is best for connection or reconnection based on the round trip time (RTT), minimizing latency for Internet traffic without user intervention. OGS is not a security feature, and it performs no load balancing between secure.

Windows Users (macOS users, please scroll to the bottom)

There are a couple of reasons why a Windows user will get the error 'AnyConnect was not able to establish a connection to the specified secure gateway' or 'The VPN client agent was unable to create the interprocess communication depot' while trying to connect using the Software VPN:

• More than 1 user is logged on to the computer at one time or
• ICS (Internet Connection Sharing) is enabled.

Here's how to fix both problems.

More than 1 user is logged on to the computer at one time

Advise the user to restart the computer. This will logoff any other users who may be logged on. If the problem persists, read on.

Check to see if ICS (Internet Connection Sharing) is running

1. Select the Start button and then select the Control Panel.
2. Under the Network and Internet category, select the Network and Sharing Center.
3. In the left-hand panel select Change Adapter Settings.
4. Right-click the network connection being shared (try the wired/Ethernet adapter connection first and then check the other adapters) and select Properties.
5. Select the Sharing tab.
6. Uncheck the box to Allow other network users to connect through this computer's connection.
7. Select OK.

Additionally, check that the ICS service is not running.

1. Select the Start button and then select Run.
2. Type: services.msc and press ENTER on your keyboard.
3. Find Internet Connection Sharing (ICS) and then stop the service.
4. Change the Startup Type to Disabled and then reboot the computer.

macOS users

Unfortunately the current AnyConnect VPN client will only run on macOS versions newer than 10.12 (Sierra). Please update your operating system. Faculty and staff should partner their with their local CSC, and students should reach out to AntTech for assistance. The OITHD cannot assist with OS upgrades, and we cannot implement any changes to the network to get your computer to connect to the VPN. We apologize for the inconvenience. You may continue to use the WebVPN at https://vpn.uci.edu

Versions older than macOS 10.12 are no longer supported by Apple, so our recommendation is that you upgrade to at least Mavericks. Your system could be vulnerable to attacks that are fixed in newer releases, and your system could be compromised and used to attack other systems (and possibly used to attack UCI when you are using the VPN).

In addition, there are bug fixes and security updates to the VPN client that necessitate it being updated to fix problems other users are having and to prevent security issues with older clients.

Contents

Introduction

This document describes what to do when you enounter this Cisco AnyConnect Secure Mobility Client VPN User Message:

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Windows Vista and Windows 7 operating systems only.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

The Base Filtering Engine (BFE) Service

BFE is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user-mode filtering. The security of the system is significantly reduced if you stop or disable the BFE service. It also results in unpredictable behavior in IPsec management and firewall applications.

These system components depend on the BFE service:

• Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) IPsec Keying Modules
• Internet Connection Sharing (ICS)
• IPsec Policy Agent
• Routing and Remote Access
• Windows Firewall

The AnyConnect Secure Mobility Client makes both routing and remote access changes to the host machine. The IKEv2 is also dependent on the IKE modules. This means that, if the BFE service is stopped, The AnyConnect Secure Mobility Client cannot be installed or used to establish a Secure Sockets Layer (SSL) connection.

There are threats in active circulation that disable and remove the BFE service as a first step in the infection process.

Win32/Sirefef (ZeroAccess) Trojan

Win32/Sirefef (ZeroAccess) trojan is a multi-component family of malware that uses stealth to hide its presence on your computer. This threat gives attackers full access to your system. Due to its nature, the payload might vary greatly from one infection to another, although common behavior includes:

• Download and execution of arbitrary files.
• Contact of remote hosts.
• Disablement of security features.

Anyconnect Was Not Able To Establish A Connection Secure Gateway Address

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software might be the only symptoms.

Win32/Sirefef (ZeroAccess) trojan attempts to stop and delete these security-related services:

• Windows Defender Service (windefend)
• IP Helper Service (iphlpsvc)
• Windows Security Center Service (wscsvc)
• Windows Firewall Service (mpssvc)
• Base Filtering Engine Service (bfe)

Caution: Win32/Sirefef (ZeroAccess) trojan is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. As a consequence infection with this threat, you may need to repair and reconfigure some Windows security features.

Problem

The scenarios are:

• The user cannot install the AnyConnnect Secure Mobility Client and receives the error message, 'The VPN client was unable to setup IP filtering. A VPN connection will not be established.'
• The AnyConnect Secure Mobility Client worked fine initially. However; the end user can no longer establish a connection and receives the error message, 'Anyconnect was not able to establish a connectoin to the specified secure gateway. Please try connecting again.'

Solution

When these error messages are seen, it is important to confirm whether the BFE is actually disabled/missing or if the client is not able to recognize it. In order to troublehoot, complete these steps:

1. Access the Service Control Manager (SCM) from the Windows menu:
2. Search for the BFE service in order to confirm its presence or absence.

If the service works, the status displays as Started. If there is anything else in that column, there is a problem with the service. However, if the status displays as started, the client is clearly not able to communicate with the service, and it is possible there is a bug.

If the service is disabled or not started, some possible reasons are:

• Malware, as previously explained, disables this service as a first step.
• Registry corruption on the machine.

Repair Procedure

The first step is to scan and disinfect your system with an antivirus software. You should not restore the BFE service if it will be deleted again by Win32/Sirefef (ZeroAccess) trojan. Download the ESET SirefefCleaner tool from this web page, and save it to your desktop.

Anyconnect Was Not Able To Establish A Connection To The Specified Secure Gateway Linux

This video explains the procedure to remove the Win32/Sirefef (ZeroAccess) trojan:.

Once you have removed Win32/Sirefef (ZeroAccess) trojan, verify that the BFE service can be started and kept active by normal means. In order to do this:

1. Start SCM and choose the Extended tab instead of the Standard.
2. Choose the BFE service.
3. Choose the Start option on the left.

Caution: It is a good practice to back up your files before you attempt this procedure. All information in this article is provided as is, without any warranty, whether express or implied, of its accuracy, completeness, or fitness for a particular purpose.

If this procedure does not work, complete these steps:

Anyconnect Was Not Able To Establish A Connection To The Specified Secure Gateway Macos

1. Download the ESET ServicesRepair utility from this web page, and save it to your desktop.
2. Execute the ESET ServicesRepair utility.
3. Follow the prompts in order to repair the BFE service.
4. Once the utility finishes, restart your computer.
5. Once your computer restarts, install or execute The AnyConnect Secure Mobility Client again.

Anyconnect Was Not Able To Establish A Connection To The Specified Secure Gateway Macbook

Note: Tests have shown that this tool helps in most cases where the registry files are corrupt or services are damaged. Therefore, if you encounter these error messages, this tool proves useful too:
- The VPN client agent was unable to create the interprocess communication depot.
- The VPN agent service is not responding. Please restart this application after a minute.
- The Cisco Anyconnect Secure Mobility Agent service on Local Computer started and stopped. Some services stop automatically if they are not in use by other services or programs.