NC State VPN Error Messages

The Cisco AnyConnect client may display one of these error messages when you attempt to connect to the NC State VPN. Follow an error’s link to find out how to resolve the problem.



“Failed to initialize system subsystem”

On Windows 8.1 machines, the “Failed to initialize system subsystem” error will pop up as soon as a user tries to connect.  This is the result of a Feb/2015 patch that was released by Microsoft that subsequently caused the Cisco AnyConnect VPN client to stop working.  Details, as well as the fix/workaround, can be found here.


 

“The VPN client was unable to setup IP filtering. A VPN connection will not be established.”

On Windows machines, the Cisco AnyConnect application will check to ensure that the “Base Filtering Engine (BFE)” service is running on your workstation before logging in. This service coordinates the filtering platform components in Windows, including Windows firewall. There are viruses/trojans in active circulation that disable and remove the BFE service as a first step in the infection process.

You can verify by opening the Control Panel, searching for “Services,” and opening “View Local Services.” Double-check that “Base Filtering Engine” is missing from the list.

If you are unable to make changes to your Windows firewall, it is another indication that the Base Filtering Engine has been removed.

It is recommended that you run a virus scan on your machine immediately to see if this resolves your issue. The BFE service should be restored if your antivirus software was successful. If not, it is recommended that you take your machine to the Walk-in Center or contact your LAN administrator to get your Windows firewall service (Base Filtering Engine) working again. Once your local workstation has been repaired, your Cisco AnyConnect client will work again.


 

“AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.”

The solution depends on the OS you are using:

  • Ubuntu 12.04:
    If you upgrade from Ubuntu 11.x to 12.04 you might receive this error message upon trying to log in. Ubuntu is looking for the certificate authority that signed the certs, which currently exist in a different directory. All you need to do is copy the certs from
    /etc/ssl/certs
    to
    /opt/.cisco/certificates/ca/
    If this directory does not exist, you may need to create it:
  • Older 64-bit versions of Ubuntu and other flavors of Linux:
    This issue also comes up when certain 32-bit shared libraries are missing in older 64-bit versions of Ubuntu.  The release notes list the following Linux requirements:”Firefox 2.0 or later with libnss3.so installed in /usr/local/lib, /usr/local/firefox/lib, or /usr/lib. Firefox must be installed in /usr/lib or /usr/local, or there must be a symbolic link in /usr/lib or /usr/local called firefox that points to the Firefox installation directory.”Make sure the 32-bit versions of the sqlite, nss, and nspr packages are installed:
    Then, symlink some of their libraries to /usr/local/firefox:

 

“The VPN client agent was unable to create the interprocess communication depot.”

This error is caused by Internet Connection Sharing (ICS) being enabled in Windows.  Disable it by using the method for your specific version of Windows:


 

“Warning: The following Certificate received from the Server could not be verified.”

Ubuntu 12.04:
You might receive this error upon trying to log in.  Ubuntu is looking for the certificate authority that signed the certs, which currently exist in a different directory.  All you need to do is copy the certs from
/etc/ssl/certs
to
/opt/.cisco/certificates/ca/
If this directory does not exist, you may need to create it:


“vpn.pkg is damaged and can’t be opened.  You should eject the disk image.”

Apple OS X Mountain Lion:

Mac OS X 10.8 introduces a new feature called Gatekeeper that restricts which applications are allowed to run on the system. You can choose to permit applications downloaded from:

  • Mac App Store
  • Mac App Store and identified developers
  • Anywhere

The default setting is Mac App Store and identified developers (signed applications). AnyConnect release 3.1 does not have a signed installation package. This means that you must either use control-click open to bypass the Gatekeeper security setting or select the Anywhere setting in System Preferences under Security & Privacy to install and run AnyConnect installation.

To allow the install to proceed:

  1. Go to System Preferences -> Security & Privacy.
  2. Click on the General tab to highlight it.
  3. Click on the lock icon to allow changes.
  4. Under the heading “Allow applications downloaded from:” click on the Anywhere radio button.
  5. Double click on the vpn.pkg install package. The installation should proceed normally.
  6. When it is finished, you can change the Security & Privacy setting back to the previous setting.