VPN

Resolving Mini WAN Miniport Code 31 Errors on Windows 8.1

Posted on by Matt Woodward

After a recent Windows update I could no longer connect to one of my VPNs using the native Windows VPN connectivity (i.e. not a client like Cisco AnyConnect). When I tried to connect from the networking charm (I think that’s what they call the bar on the right-hand side of the screen) it would hang for a while but never connect, and after that happened when I clicked on the networking icon on the lower right the charm bar wouldn’t even come back.

I figured it might be a driver issue so I opened up Device Manager and sure enough, under the network adapters section there were yellow exclamation marks next to every one of the WAN Miniports that show up after you try to connect to a VPN.

I found varying reports of how to fix the problem but here’s what worked for me.

  1. Try to connect to a VPN that will cause things to error out (the WAN Miniports didn’t even show up in the network adapter list for me until I did this)
  2. Open Device Manager
  3. Expand “Network adapters”
  4. Right-click every one of the WAN Miniport devices (I even did the ones that didn’t have a yellow exclamation point next to them) and do the following:
    1. Click “Update Driver Software”
    2. Click “Browse my computer for driver software”
    3. Click “Let me pick from a list of device drivers on my computer”
    4. Uncheck the “Show compatible hardware” box
    5. Under Manufacturer choose Microsoft
    6. Under Network Adapter choose “Microsoft KM-Test Loopback Adapter” (technically from what I understand you can pick anything that you can uninstall, but this one worked consistently for me)
    7. Click “Next”
    8. Ignore the “blah blah might be incompatbile” warning and click OK
    9. After Device Manager refreshes, right click the Microsoft KM-Test Loopback Adapter and click “Uninstall”
  5. After you’ve done that for every one of the WAN Miniports listed, reboot the machine. If you don’t do this things won’t be fixed.
That cleaned things up for me. We’ll see if it works on subsequent reboots.

Cisco AnyConnect VPN Client vs. OpenConnect on 64-Bit Linux Mint 12

Posted on by Matt Woodward
Last night I decided to replace my Ubuntu 11.10 installation on my System76 Serval Pro with Linux Mint 12. I’ve used Linux Mint on and off since version 9, and Linux Mint 10 and 11 were my full-time OSes until I ran into some lockup issues with Mint 11 on my System76 Lemur Ultra-Thin, at which point I decided to give Ubuntu 11.10 with Unity a real shot.

Not to get sidetracked on the real topic of this post, but Unity isn’t nearly as bad as many make it out to be. After using it for a week I actually started to like it and found myself quite productive with it. That said, since I’ve also always loved Mint I figured I better kick the tires on their latest release which is now the most popular GNU/Linux distribution, having recently bumped Ubuntu from the top spot.

If you’ve seen all my previous posts on getting Cisco AnyConnect running on GNU/Linux you’ll know that this is an ever-changing series of problems and fixes over the years, but with Ubuntu 11.10 and Cisco finally releasing a native 64-bit version of the AnyConnect client the steps were finally limited to simply install and launch.

For some reason that isn’t the case with Linux Mint 12 and as in the past the fixes that worked previously don’t seem to apply to Mint 12. Downloading and installing the client is the same as previously, and the installation works fine, but at least on my machine when I try to connect I get a different certificate-related error than I’ve received in the past and I haven’t yet determined how to resolve it.

In the mean time, some folks commented on a previous post to try OpenConnect, which is an open source VPN client designed to work with Cisco hardware. I’d tried it in the past without success against my specific VPN server but since I wasn’t having much luck with AnyConnect (and to be fair, I probably only fought with it for about 30 minutes so there may well be a solution–if you know what it is I’d love to hear it!) I decided to try OpenConnect again. (An aside: my apologies for not responding to comments to that post. Posterous is having notification issues and I haven’t received comment notifications for a while.)

Installation of the client and the integration with the Mint network manager is easy enough:
sudo apt-get install openconnect network-manager-openconnect

After installation completes you go to Network Settings and configure your VPN connection, which basically just requires the host name of your VPN server. With that configured you can then click on the network connection icon on the top right of the screen and select your VPN connection from the VPN list, and in my case it connected fine.

I did try running OpenConnect from a terminal and even when starting with sudo (which you have to do in order for the tunnel to be created), I got the error “No –script argument provided; DNS and routing are not configured” so although it connected to the VPN server fine, I couldn’t do anything once I was connected. Using the network manager piece resolved that issue for some reason. The issue with running from a terminal is probably just a configuration thing but using the network manager is more convenient anyway, so I didn’t dig into that either.

So for now at least I’ll be using OpenConnect instead of AnyConnect, though if/when I install Mint 12 on one of my other machines I may try to figure out what’s wrong with AnyConnect to satisfy my curiosity if nothing else. For now I just had to get something working since tomorrow it’s back to work after the Thanksgiving holiday.

If anyone has AnyConnect running on Mint 12 and has ideas of what to try I’d be very interested to hear how you got things running, and I’ll do a follow-up post if I figure it out when I work on it on another machine.

Installing Cisco AnyConnect on 64-Bit Ubuntu 11.10

Posted on by Matt Woodward

Every six months for the past few years I’ve been posting how to install Cisco AnyConnect on the latest 64-bit releases of Ubuntu and for a couple of cycles Linux Mint since I was using that as my primary OS for a while.

This time around it’s finally downright boring, which is a good thing. No more installing 32-bit libraries, creating symlinks to Firefox libraries, etc. etc. you just do the following:

  1. Hit your company’s VPN server in a browser and log in with your user name and passcode

  2. Click the AnyConnect link on the left

  3. Click “Start AnyConnect”

  4. This will attempt to install AnyConnect via your browser’s Java plugin. If this works, you’re done! If this doesn’t work (give it at least 60 seconds), read on.

In my case on the two machines on which I attempted this it didn’t work. The browser-based install just hung even though I verified I have Java installed and the browser plugin is working.

If you don’t have Java installed, however, the browser-based installation will detect that and give you a download link for the installer. So what I did was in Firefox I went to Edit -> Preferences -> Manage Add-Ons -> Plugins and I disabled the IcedTea-Web Plugin, which is the Java plugin that Firefox ships with.

I then restarted Firefox and repeated the steps above, only this time on step 4 it detected I didn’t have Java installed and provided a link to the 64-bit installer. Download that file (vpnsetup.sh), chmod +x it, run it, and you’re done.

I’m a little disappointed I didn’t have to the usual dance on this, but it finally just works.

Cisco AnyConnect VPN Client on 64-Bit LinuxMint 11

Posted on by Matt Woodward

I’ve posted before about getting Cisco AnyConnect running on Ubuntu 9.10 and Ubuntu 10.04, but I’ve since started using LinuxMint as my daily driver and did a clean install of MInt 11 today. Mint is based on Ubuntu so on Mint 10 the previous strategy to get AnyConnect running worked fine, but I had to take a different approach after installing Mint 11. (I suspect it’ll be the same issue on Ubuntu 11.04 but I haven’t tried it.)

In doing a bit of research I came across this link that explains quite correctly that you don’t need to actually download and extract Firefox to get this all working, which is what I had been doing previously. The Cisco client (for some stupid reason) expects certain things to be in a /usr/local/firefox directory but you can simply create that directory, download some other files, and then create the appropriate symlinks in /usr/local/firefox to make AnyConnect happy.

I also ran into some inexplicable weirdness related to a certificate file in my ~/.mozilla/firefox profile directory but I’ll cover that as I outline the steps I took to get AnyConnect working.

Summary of Steps

Follow these and if you’re lucky it’ll work; if it doesn’t read the information that follows for more details and troubleshooting ideas.

  1. Follow the steps in this blog post, which are as follows:

    1. sudo apt-get install ia32-libs lib32nss-mdns

    2. sudo mkdir /usr/local/firefox

    3. sudo ln -s /usr/lib32/libnss3.so /usr/local/firefox

    4. sudo ln -s /usr/lib32/libplc4.so /usr/local/firefox

    5. sudo ln -s /usr/lib32/libnspr4.so /usr/local/firefox

    6. sudo ln -s /usr/lib32/libsmime3.so /usr/local/firefox

    7. sudo ln -s /usr/lib32/nss/libsoftokn3.so /usr/local/firefox

  2. Download the AnyConnect installer from somewhere. The usual method of browsing to your VPN server and logging in may not work, so see below for details.

  3. Run the installer from the directory to which it was downloaded (sudo ./vpnsetup.sh). The daemon may fail to start at this point but don’t worry if it doesn’t.

  4. If the daemon failed to start, start the VPN daemon: sudo /etc/init.d/vpnagentd_init start

    1. You shouldn’t get an error regarding /opt/cisco/vpn/bin/vpnagentd not being found at this point if you followed the above steps accurately. If you do, read on to see if any ideas come out of any of the subsequent discussion.

  5. Start the AnyConnect client. It should be in your Internet programs menu.

    1. If you get a “server certificate problem” error, stop Firefox and delete ~/.mozilla/firefox/YOUR_PROFILE.default/cert8.db where YOUR_PROFILE is whatever random string Firefox assigned your default profile (you should only have one directory with .default at the end of it in ~/.mozilla/firefox). In my case this problem didn’t rear its head until after I rebooted, so you might want to reboot at the end of all of this to make sure everything’s working.

If you’re still getting errors read on for more info …

Downloading AnyConnect

I ran into problems right out of the gate on Mint 11. On Mint 10 as well as previous versions of Ubuntu I could at least hit my VPN server in a browser, try to fire up the Java applet, and when that fails it prompts you to download, but this time around the “launching Java applet” screen on the VPN server just hung. I verified that Java is enabled in Firefox and tested with other applets so I’m not sure what the issue is there, particularly since this did work on my 32-bit machine with Mint 11.

So word of caution: you need to get the installer elsewhere, or at least I did. There may be a solution to this I haven’t yet come up with so if you know what’s up here, please be sure and comment.

Luckily I had the installer backed up from when I copied my home directory to an external hard drive prior to installing Mint 11, so I ran the installer from my home directory.


sudo ./vpnsetup.sh

This at least got the daemon installed for me, but it failed to start after installation (usually it starts fine after it’s installed), throwing an error about /opt/cisco/vpn/bin/vpnagentd file not being found. The file’s definitely there so I’m not sure what its problem is, but this gets resolved in the subsequent steps so you can ignore that error for now.

Install Necessary Libraries and Create Symlinks

See the above steps for details (all the steps under #1 above). In my case this resolved the file not found error the daemon was throwing when I tried to install AnyConnect prior to creating those symlinks. If you do that step first everything should work.

Launch the VPN Daemon


sudo /etc/init.d/vpnagentd_init start

If that throws errors doublecheck all the symlinks you created above. Note that in previous versions one of the things you were supposed to install and symlink to was sqlite3.so but that does not seem to be necessary.

Launch the AnyConnect Client

You should now be able to launch AnyConnect from your Internet programs menu. If you get a “server certificate problem” error, for me this seemed to be related to a certificate file in my Firefox profile.

How I came across this was after I rebooted and started Firefox on my 32-bit machine, since my home page is my Google Mail login, Firefox immediately threw a “Could not initialize the browser’s security component” error. I found information on that error on Mozilla’s site, so on GNU/Linux this means stopping Firefox and deleting the cert8.db file that’s in your profile (~/.mozilla/firefox/YOUR_PROFILE.default).

On my 64-bit machine the behavior was slightly different. Everything seemed to work with AnyConnect until I rebooted, at which point it threw the server certificate error. I then launched Firefox and it popped up a completely blank alert window, but when I closed that window and Firefox finished loading, I noticed I couldn’t browse to any sites. No matter what I put in the location box the top of the Firefox UI was completely unresponsive.

Since I’d happened to have the security component issue on my 32-bit machine, I figured even though on the 64-bit machine it wasn’t actually showing me the error, that might be the problem. Sure enough when I deleted the cert8.db file Firefox then began to work, as did the AnyConnect client. I rebooted to make sure it wasn’t a fluke and thus far everything is working.

Remaining Issues

At this point the only remaining issue is that for some reason when I connect to the VPN, AnyConnect doesn’t minimize itself into that little “stacked blue balls” icon thingee over near the clock. It just minimizes itself and shows up in your task bar like any other program. Minor annoyance but it does behave correctly on my 32-bit machine so I’m not sure what’s going on there.

Hope that helps some others who are trying to get this running!

Cisco AnyConnect VPN Client on 64-Bit Ubuntu 10.04

Posted on by Matt Woodward

I outlined much of this in a previous blog post, but since things are slightly different (or at least were for me) on Ubuntu 10.04, I figured I’d do a follow-up while it was fresh in my mind. Note that if you’re on 32-bit Ubuntu AnyConnect works out of the box so you don’t need to do any of these steps. The issue is that there is no native 64-bit AnyConnect client for Linux so you have to install some 32-bit libraries and point AnyConnect to some libraries from Firefox to get things working.

The basic procedure remains the same as in my previous post, but I had to install some additional libraries and do things in a slightly different order this time around.

  1. Download the AnyConnect installer from your VPN server or get a copy from your VPN administrator. (Why these clients aren’t freely available I have no idea. You can only connect to something that someone paid Cisco for, so I’m not sure why the clients can’t just be out in the wild. If you Scroogle around you may find some download links here and there but of course use at your own risk if you don’t get the client from an authorized source.)

  2. Do a chmod +x on the installer (which for me was called vpnsetup.sh) and then run the installer using sudo. This will throw a couple of errors but they can safely be ignored.

  3. Install ia32-libs and lib32nss-mdns

    • sudo apt-get install ia32-libs lib32nss-mdns

  4. Download a fresh copy of Firefox, expand, and move to /usr/local

    • I downloaded to my Downloads directory, expanded there, and did sudo cp -R firefox /usr/local

  5. Do a cd into /usr/local/firefox and create symlinks for the Firefox libraries in /opt/cisco/vpn/lib as follows:

    • sudo ln -s libnss3.so /opt/cisco/vpn/lib/libnss3.so

    • sudo ln -s libplc4.so /opt/cisco/vpn/lib/libplc4.so

    • sudo ln -s libnspr4.so /opt/cisco/vpn/lib/libnspr4.so

    • sudo ln -s libsmime3.so /opt/cisco/vpn/lib/libsmime3.so

    • sudo ln -s libsoftokn3.so /opt/cisco/vpn/lib/libsoftokn3.so

    • sudo ln -s libnssdbm3.so /opt/cisco/vpn/lib/libnssdbm3.so

    • sudo ln -s libfreebl3.so /opt/cisco/vpn/lib/libfreebl3.so

    • sudo ln -s libnssutil3.so /opt/cisco/vpn/lib/libnssutil3.so

    • sudo ln -s libplds4.so /opt/cisco/vpn/lib/libplds4.so

    • sudo ln -s libsqlite3.so /opt/cisco/vpn/lib/libsqlite3.so

  6. Start the VPN daemon: sudo /etc/init.d/vpnagentd_init start (If it doesn’t start without errors, double-check all your symlinks.)

  7. Launch AnyConnect. You should have a launcher under Applications -> Internet, but If not you can launch it from /opt/cisco/vpn/bin/vpnui using your normal user account (i.e. not using sudo).

After AnyConnect launches you can enter your VPN server address, accept the certificate, and log in as per usual.

Cisco AnyConnect VPN Client on 64-Bit Ubuntu 9.10

Posted on by Matt Woodward

I’ve been using vpnc as my VPN client on Ubuntu for quite some time now, but vpnc allows for split tunneling (meaning I’m on the VPN but I can still access my local network), and, well, let’s just say some network security folks don’t like that. 😉 I looked into disabling split tunneling on vpnc and I didn’t find any conclusive answers, so it was time to look for an alternative VPN client for Cisco VPNs.

Cisco AnyConnect is a VPN client that can (in theory) be installed from a web browser on any operating system, provided your VPN server is configured to support it. If you want to check, hit your VPN server in a browser. If you see a login screen, log in with your normal VPN credentials and you should be able to install AnyConnect from there.

All isn’t rosy with this picture on Linux, however. The browser-based install doesn’t work (or didn’t for me at least), and while you can download a Linux version of the installer, the installer runs fine but the client throws some errors when you attempt to connect to your VPN. Specifically in my case it was throwing a “no valid certificates” error or something along those lines. As usual there’s a relatively simple solution, but it took some digging.

AnyConnect relies on libraries that are distributed with Firefox, but AnyConnect expects these libraries to be located under /usr/local/firefox. On Ubuntu they’re located elsewhere so AnyConnect chokes when it’s trying to connect.

Once you have AnyConnect installed, go through the following steps to get things working. Also make sure the daemon is running; check using ps -ef | grep vpn and if it isn’t running, do sudo /etc/init.d/vpnagentd_init start to fire that up.

  1. Download Firefox from mozilla.com. Yes, I know, you already have it installed, but download a fresh copy anyway. Although you may be able to leverage your existing copy, I went this route just to be sure nothing interfered with the copy I use all day every day. I read some things that seemed to indicate you needed to get the 32-bit version if you’re on a 64-bit OS, but that wasn’t the case for me. I suppose if you have a 32-bit version of AnyConnect you’d want to get the 32-bit version of Firefox.

  2. Untar Firefox into /usr/local/firefox

  3. Create symlinks in /opt/cisco/vpn/lib to the following files, all of which are located in /usr/local/firefox:
    libnss3.so
    libplc4.so
    libnspr4.so
    libsmime3.so
    libsoftokn3.so
    libnssdbm3.so
    libfreebl3.so
    libnssutil3.so
    libplds4.so
    libsqlite3.so
    (Thanks to casevh in this thread for the list of libraries)

  4. Launch AnyConnect (/opt/cisco/vpn/bin/vpnui). From what I read you should not be launching AnyConnect as root or by using sudo.

  5. After the client launches, enter the host to which you want to connect.

  6. Accept the certificate provided by the server.

  7. Enter your user name and password as you normally do.

That’s it–you should be in. Note that if you’re used to using a profile file with a different VPN client, AnyConnect (at least based on my 1/2 day of experience) seems to work differently, so a user name and password should be all you need. If you’re using a SecurID token of course you’ll use that as your password.

Connecting to Cisco VPN on Ubuntu

Posted on by Matt Woodward

Made yet another step forward in my pursuit of full-time Linux usage today, namely connecting to a Cisco VPN. I did try the vpnc application that several people suggested but, to put it in technical terms, it “didn’t like” our VPN hardware. (I’m sure there’s just some setting that needs to be tweaked.) It imported my PCF file fine but would always timeout on the connection.

So I got a hold of the official Cisco VPN client for Linux (version 4.8.01), and while it did need a bit of compiling and a patch applied for Ubuntu 8.04, it works great! I did find one blog post in particular that was helpful (thanks Arun!), and if you get an error on Ubuntu 8.04 (which I didn’t) you might check out another post on Arun’s blog.

Yes, you do have to fire the VPN client up from a terminal so it’s not as pretty as the Mac version, but it works just fine and is overflowing with geek cred.

Since I also fixed the LDAP lookup issue in Evolution that I mentioned in my post yesterday, I think the remaining piece of the puzzle is finding something that’s compatible with Microsoft Messenger (not the public network side of it), which is a huge nice to have but might be asking a bit much.

Comments

Update on this–very weird DNS issues are keeping me from using this full-time. Apparently the Cisco client messes with resolv.conf. It’s a bizarre problem because it works for a while and then suddenly you lose DNS.

I’m sure there’s a fix, just haven’t had time to look into it yet.

Posted by Matt Woodward @ 7/12/08 7:49 AM

@Matt: I’m having exactly the same DNS problem you comment. Have you found any solution?

Posted by Joan M @ 10/15/08 6:39 AM

Yep Joan–just install resolvconf:

http://tinyurl.com/5qovt7

Posted by Matt Woodward @ 10/15/08 6:42 AM