Cisco Secure Client VPN Connection Failure with SAML Authentication and Bencode Dictionary Errors

Available Languages

Download Options

  • PDF     (5.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (87.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (73.1 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 4, 2026
Document ID:226011

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

VPN connections using Cisco Secure Client fail to establish when using SAML authentication with Google IdP. Although SAML authentication is successful on the IdP side, the client fails during post-authentication processing and transitions to a disconnected state, preventing the VPN tunnel from being created.

Environment

  • Cisco Secure Client version 5.1.13.177

  • SAML authentication configured with Google IdP

  • Secure Access - Secure Client Remote Access (VPN, Posture, Private Resource)

  • Google IdP authentication logs show successful SAML authentication

Resolution

The issue was resolved by reinstalling the Cisco Secure Client. The following troubleshooting approach was documented:

Initial Diagnostic Steps

Step 1: Collect DART logs from the affected endpoint - https://www.cisco.com/c/en/us/support/docs/security/secure-client/221919-collect-dart-bundle-for-secure-client.html

Extract Dart Bundle > Cisco Secure client > Anyconnect VPN > Logs > Under VPN Folder > AnyConnectVPN.txt - show following errors while reading internal settings, with the following errors appearing continuously:

  • Bencode dictionary internalize failed

  • Failed to create Bencode dictionary

  • PHONEHOMEVPN_ERROR_UNEXPECTED

  • GLOBAL_ERROR_UNEXPECTED

Step 2: Verify SAML authentication status on IdP side

Confirm that Google IdP logs show successful SAML authentication to isolate the issue to the client-side post-authentication processing.

Resolution Implementation

Step 1: Reinstall Cisco Secure Client

Uninstall the existing Cisco Secure Client installation and perform a clean reinstallation of the client software.

Step 2: Verify VPN connectivity restoration

After re installation, test the VPN connection with SAML authentication to confirm that the connection establishes successfully and the tunnel is created properly.

The re installation of Cisco Secure Client restored VPN functionality, allowing successful SAML authentication and tunnel establishment.

Cause

The root cause appears to be related to corrupted internal configuration data within the Cisco Secure Client installation, specifically affecting the CPhoneHomeVpn/PhoneHomeAgent component's ability to process Bencode dictionary data during post-authentication processing. The repeated "Bencode dictionary internalize failed" and "Failed to create Bencode dictionary" errors indicate that the client was unable to properly parse or process internal configuration data required for establishing the VPN tunnel after successful SAML authentication.

The issue was resolved through client reinstallation, suggesting that the problem was related to corrupted client-side data rather than server-side configuration or IdP integration issues.

Related Content

Revision History

Revision Publish Date Comments
1.0
04-Jun-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • TAC

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products