Unable to successfully verify all routing table modifications are correct.
A user connecting from Vista 64 with the Cisco AnyConnect client was getting a "The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established." error when trying to connect. No changes had been made to the concentrator configuration which is an asa5520 running 8.0(3).
Via ASDM, there was a syslog notification of "SVC Message: 17/ERROR: Unable to successfully verify all routing table modifications are correct."
Also annoyingly, the license only supports 2 clientless ssl vpn connections and the ssl vpn client appears to use a clientless connection initally which fails to shut down then the ssl client fails to connect, which prevents future logins with not error on the client side due to the licensing.
I found this article which linked the proble to Adobe Photoshop. The user had installed the photoshop trial recently and when he disabled bonjour for windows, which was installed by photoshop, the VPN worked fine.
I installed Bonjour on XP 32bit and could not reproduce the problem. Perhaps it's a Vista 64 issue. It's a small enough of an edge case that I don't think I'll try to reproduce.
User says: "it had a really odd name #1_Service_name###. it was added when I installed Adobe"
Via ASDM, there was a syslog notification of "SVC Message: 17/ERROR: Unable to successfully verify all routing table modifications are correct."
Also annoyingly, the license only supports 2 clientless ssl vpn connections and the ssl vpn client appears to use a clientless connection initally which fails to shut down then the ssl client fails to connect, which prevents future logins with not error on the client side due to the licensing.
I found this article which linked the proble to Adobe Photoshop. The user had installed the photoshop trial recently and when he disabled bonjour for windows, which was installed by photoshop, the VPN worked fine.
I installed Bonjour on XP 32bit and could not reproduce the problem. Perhaps it's a Vista 64 issue. It's a small enough of an edge case that I don't think I'll try to reproduce.
User says: "it had a really odd name #1_Service_name###. it was added when I installed Adobe"
posted by btm at 12:47 PM
8 Comments:
So I just ran into that same issue trying to install AnyConnect on a new Vista x64 machine and this is the only site on the entire internet that appears to have that error message documented.
Sure enough, nuking the bonjour program (whatever it even is) fixed the problem. Glad you decided to write about it or I'd have been really confused.
Glad it helped. This is new I think on that linked article:
The BonJour printing server is the problem, it gets installed with Itunes and countless Adobe products. Just disable the service and it will work just fine. Also some of the Adobe products install the Service name as either "Bonjour Printing Service" or "###(something that begins with that). I would recommend searching the registry for "mdnsresponder.exe" and finding the service name that way.
I tried open up a TAC case requesting that it detect such crap and provide a more useful error message to those users to reduce the number of support calls I get about it. Unfortunately I can't open TAC cases for serial numbers that I haven't gotten the contract numbers added to my account yet and I can't find a simple way to track them down either.
Finally got a TAC case open, Cisco's working on it:
The problem happens when Bonjour modifies the routing table after we have which would break vpn connectivity. This is why the error pops up. This issue was fixed three days so unfortunately it has not been integrated into a released version of Anyconnect as of yet. We have made changes to work around these third party applications that modify the routing table. This fix should be added to the next release which is due out in a few months.
Here is the bug id: CSCsj91840 - Anyconnect on Vista fails with Apple Bonjour service and wireless
I will go ahead and put the case in a Release Pending state so I can notify you once the new Anyconnect is released.
I wrote back:
Awesome, thanks. I had looked for a bug id a week or two ago but couldn’t find one and had to deal with service contract numbers to get this far. That’s exactly what I’m looking for.
It may be worth nothing that this error happens for my users on connect every time, so it’s not breaking vpn connectivity, it’s just not allowing it. I’ll keep an eye out for that next build.
They replied:
That is by design. The reason it does not allow it is because if it did you wouldn't be able to pass traffic through the vpn adapter. We also could not guarantee a secure connection is an application modified the routing table after we did. We have to disconnect the connection is a change was made.
If you have a CCO account and are logged in, you can see the bug here.
Here's the current bug for those that don't though:
Anyconnect on Vista fails with Apple Bonjour service and wireless
Symptom:
Anyconnect fails with the error 'failed to verify IP forwarding table modification"
or
'the VPN client was unable to successfully verify the IP forwarding table modification. a VPN connection will not be established'
Conditions:
Software that uses Apple's Bonjour networking service cause a conflict:
Software examples
Adobe CS3 software
Apple Itunes on vista while using wireless
Workaround:
To uninstall the Bonjour service:
Refer to Adobe KB article kb4000982, section Removing Bonjour for Windows.
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb4000982
To disable the service:
net stop "Bonjour Service" from command line to temporarily turn of the Bonjour service and then restart it after the tunnel is established.
In the first two suggestions, the Version Cue Servers cannot be automatically discovered. However, you can still access these servers directly by using Connect To Server option and entering the url of the machine.
Or,
Remove Adobe software.
Remove Itunes software
There is a known bug for this issue: CSCsj91840
/Mathias
Yeah. There is now, I already linked to it in this comment.
Unfortunately there wasn't one back in January. Double unfortunately Cisco's bug system isn't index by Google because it requires a CCO account with additional access.
this bug has been fixed in the newest release of AnyConnect 2.2
Ive updated to 64Bit Vista and the VPN client I use from Cisco isn't supported in 64Bit.
I can't download Anyconnect from Cisco thus can't connect to corporate email, tradeoffs continue.
Anybody help me locate Anyconnect 2.2? Cisco is no help to me...
Thanks
dkalaf@mac.com
@denny:
The Anyconnect SSL VPN client isn't compatible with a Cisco IPSEC VPN Server configuration.
Your IT department will need to reconfigure the VPN servers, and it's simple to get the Anyconnect client from Cisco as long as you have a support contract, it's under VPN Software downloads.
Post a Comment
<< Home