Error Messages on AnyConnect for Apple iOS Devices

Introduction

This document describes different error messages generated when using the Cisco AnyConnect VPN Client on Apple iPad devices. Corresponding resolutions required in order to eliminate those error messages are also included.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco AnyConnect Secure Mobility Client 2.5.x for Apple iOS and later

• Cisco ASA Security Appliance that runs software version 8.2 and later

• Apple iOS 4.x and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Error Messages

This section provides examples of error messages and their respective solutions.

Licensing Issue

This error message is received on the iPad client when trying to launch the AnyConnect application:

The secure gateway has rejected the agent's VPN connect or reconnect request. 
A new connection requires re-authentication and must be started manually. 
Please contact your network administrator if this problem persists.
The following message was received from the secure gateway: No License
VPN session ended.

Solution

You need to have the required license in order to use the AnyConnect VPN Client on iPad clients. Refer to this CLI snippet from the ASA show version command:

AnyConnect for Mobile                 : Disabled       perpetual
AnyConnect for Cisco VPN Phone        : Disabled       perpetual
Advanced Endpoint Assessment          : Disabled       perpetual

Provide details like "PAK number" and "Serial number of the device" at the Cisco Licensing Page (registered customers only) in order to obtain the license. You could also contact Cisco Technical Support or send an e-mail to licensing@cisco.com.

Certificate Authentication Issue

This error log message is received on the Cisco ASA:

%ASA-6-725007: SSL session with client outside:XX.YY.ZZ.ZZ/51249 terminated.

CERT-C: E ../cert-c/source/certobj.c(719) : Error #73ch

CRYPTO_PKI: can not set ca cert object (0x73c)

These error messages are received on the iPad client application:

Solution

The client certificate authentication is failing and the Cisco ASA can parse some certificate extensions successfully, but cannot validate the client certificate. In order to resolve this issue, configure the CA on the ASA and enroll the iPad. Once complete, you should connect successfully using the client certificate.

Address Assignment Issue

This error message is received when trying to connect to an ASA from an iPad AnyConnect Client.

Secure gateway has reject the connection attempt. No
   address available for SVC connection.

Solution

Verify that the tunnel-group has a valid address-pool/dhcp server and that there are available addresses in that pool.

Group URL Issue

This error message is received while trying to connect:

The group URL requested has not been found. 
Please specify a valid group URL, and try again.

Solution

Check that the group-url is properly configured on the iOS device and on the head-end. They must match exactly, minus the https://, which should exist on the head-end.

Related Information

• ASA 8.x: AnyConnect VPN Client Troubleshooting TechNote
• Cisco AnyConnect Secure Mobility Client 2.5 FAQ
• Cisco AnyConnect Secure Mobility Client Support Page
• Technical Support & Documentation - Cisco Systems