Document ID: 116347
Updated: Jul 29, 2013
Contributed by Carlos Alberto Chaves Morales, Juan Gabriel Zuniga Segura, and Atri Basu, Cisco TAC Engineers.
This document describes what to do when you enounter this Cisco AnyConnect Secure Mobility Client VPN User Message:
The VPN client was unable to setup IP filtering.
A VPN connection will not be established.
There are no specific requirements for this document.
The information in this document is based on Windows Vista and Windows 7 operating systems only.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The Base Filtering Engine (BFE) Service
BFE is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user-mode filtering. The security of the system is significantly reduced if you stop or disable the BFE service. It also results in unpredictable behavior in IPsec management and firewall applications.
These system components depend on the BFE service:
- Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) IPsec Keying Modules
- Internet Connection Sharing (ICS)
- IPsec Policy Agent
- Routing and Remote Access
- Windows Firewall
The AnyConnect Secure Mobility Client makes both routing and remote access changes to the host machine. The IKEv2 is also dependent on the IKE modules. This means that, if the BFE service is stopped, The AnyConnect Secure Mobility Client cannot be installed or used to establish a Secure Sockets Layer (SSL) connection.
There are threats in active circulation that disable and remove the BFE service as a first step in the infection process.
Win32/Sirefef (ZeroAccess) Trojan
Win32/Sirefef (ZeroAccess) trojan is a multi-component family of malware that uses stealth to hide its presence on your computer. This threat gives attackers full access to your system. Due to its nature, the payload might vary greatly from one infection to another, although common behavior includes:
- Download and execution of arbitrary files.
- Contact of remote hosts.
- Disablement of security features.
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software might be the only symptoms.
Win32/Sirefef (ZeroAccess) trojan attempts to stop and delete these security-related services:
- Windows Defender Service (windefend)
- IP Helper Service (iphlpsvc)
- Windows Security Center Service (wscsvc)
- Windows Firewall Service (mpssvc)
- Base Filtering Engine Service (bfe)
The scenarios are:
- The user cannot install the AnyConnnect Secure Mobility Client and receives the error message, "The VPN client was unable to setup IP filtering. A VPN connection will not be established."
- The AnyConnect Secure Mobility Client worked fine initially. However; the end user can no longer establish a connection and receives the error message, "Anyconnect was not able to establish a connectoin to the specified secure gateway. Please try connecting again."
When these error messages are seen, it is important to confirm whether the BFE is actually disabled/missing or if the client is not able to recognize it. In order to troublehoot, complete these steps:
- Access the Service Control Manager (SCM) from the Windows menu:
- Search for the BFE service in order to confirm its presence or absence.
If the service works, the status displays as Started. If there is anything else in that column, there is a problem with the service. However, if the status displays as started, the client is clearly not able to communicate with the service, and it is possible there is a bug.
If the service is disabled or not started, some possible reasons are:
- Malware, as previously explained, disables this service as a first step.
- Registry corruption on the machine.
The first step is to scan and disinfect your system with an antivirus software. You should not restore the BFE service if it will be deleted again by Win32/Sirefef (ZeroAccess) trojan. Download the ESET SirefefCleaner tool from this web page, and save it to your desktop.
This video explains the procedure to remove the Win32/Sirefef (ZeroAccess) trojan:.
Once you have removed Win32/Sirefef (ZeroAccess) trojan, verify that the BFE service can be started and kept active by normal means. In order to do this:
- Start SCM and choose the Extended tab instead of the Standard.
- Choose the BFE service.
- Choose the Start option on the left.
If this procedure does not work, complete these steps:
- Download the ESET ServicesRepair utility from this web page, and save it to your desktop.
- Execute the ESET ServicesRepair utility.
- Follow the prompts in order to repair the BFE service.
- Once the utility finishes, restart your computer.
- Once your computer restarts, install or execute The AnyConnect Secure Mobility Client again.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.