Update, computers with Anyconnect client 4.10.05085 have no problems to log in

No, this is still an ongoing issue for us. It looks like you're running the same MX firmware version though. We've been testing AnyConnect Client v5.0.02075 but I have been reluctant to push that out until we figure what's going on with the issue on our currently deployed version v4.10.05085.  Based on your situation, looks like whatever is happening here is impacting both of these versions.

I'm unable to reproduce the issue which is what Meraki Support is asking for so I'm kind of in a jam.

For your environment, do you think this is new after upgrading your MX250 to 18.107.2?

If you downgrade does it work? If yes, I suggest opening a support case.

Our company had the same issues. Azure domain joined workstations with intune would get the SSO issue with version 5x. Same workstation would log in under the local user account. Downgraded to version 4x resolved. 

I wish that I had some good news on this, but our issues persist, and we continue to downgrade to 4.x when it comes up.

For anyone that decides to further engage with support on this matter, my experience is that Cisco TAC will not help if the AnyConnect VPN is terminating to a Meraki MX appliance.  Meraki Support will not help as their position (as stated in my open case) is that they do not support AnyConnect. From my Meraki case, "Unfortunately, we do not have any control over Anyconnect nor support it."  To this point, there's been no level of engagement with my Meraki or Cisco team that has resulted in getting any step closer to understanding what's going on. I'd strongly suggest to anyone looking at using AnyConnect with an MX to really consider that you're doing so without support which is obviously fine until you need it. 

I'll keep trying on my end and will surely post any relevant updates.

Hi Mike,

I have the same issue and Meraki support referred me to Cisco TAC for further assistance. Since you've already done that there is no need for me to go through the same process.

HOWEVER, while being on the phone with Meraki support I sort of fixed the issue for myself. At least for now on only 1 PC and yet to test it on others.

My scenario explained below;

- I found that local admin users have no problem connecting and no warning. SAML auth works.

- When a non-admin user tries to connect, the error appear.

- I logged in on the troubled PC as admin user, open AnyConnect and entered the hostname. Connected and voila! 

- Logged back in as the non-admin user, opened AnyConnect, enter hostname address and voila!

Don't ask me why and unfortunately I can't confirm if this is a working  work-around on this issue. I will test it on more troubled PC's and confirm back here.

Good luck if anyone want to try this work-around in the meantime.

-DawieKabouter-

Thanks for your response. I'll relay the "AnyConnect as admin" thing to my team so they can test it the next time this comes up and will post some feedback with our findings.

Hi Mike, perfect. Just to be clear make sure whoever do the work-around to be logged on as a local admin. Installing the software as admin is not enough.

Good luck!

Regards,

-DawieKabouter-

Understood, thank you. 

Hi DawieKabouter,

We ran into the issue today and your work-around appeared to work as you described!

We logged into the PC as an administrator and established the VPN without any issues.  We then disconnected the VPN and logged back into the PC as the standard user and were able to make a successful VPN connection without the error. 

We're going to continue testing and I'll post an update with subsequent findings.  If this holds true going forward, then the requirement to downgrade is resolved but I'd really like to understand what's causing this issue in the first place. 

I deeply appreciate you sharing your findings here so many thanks to you.

Thanks, 

Mike

Hi Mike,

Thanks for getting back to me. I'm glad it worked, however, I wish to further update you on this case. It turns out my own solution was short-lived.

I had to add the domain user to the Power Users group and now the user is able to connect consistently without this erorr.

I would suggest to monitor this, if the work-around is no longer working, try adding the user with different permissions on the local system. In this case I know for a fact Power Users group works.

Kind regards,

-DawieKabouter-

Hi Mike,

Compliments of the season to you. So I have found another work-around which might be easier to apply from a GPO level instead.

https://community.cisco.com/t5/vpn/authentication-failed-due-to-problem-navigating-to-the-single/td-...

I simply added these registry keys (no reboot) and it worked!

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco AnyConnect Secure Mobility Client" /v UseLegacyEmbeddedBrowser /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Cisco\Cisco Secure Client" /v UseLegacyEmbeddedBrowser /t REG_DWORD /d 1 /f

PS. Run these as Admin.

Best regards,
-DawieKabouter-

Hi DawieKabouter,

Thanks for reaching out again and best wishes to you as well!

Since we last connected, I was ultimately able to open a collaborative support case between Cisco, Meraki, and DUO to hopefully get to the bottom of this. With that said, I had a call with the Cisco Support team yesterday, as a result of me informing them about the suggested work-around of adding the above-mentioned registry key. 

Long story short, they concur that trying the above step, as part of our continued troubleshooting, makes sense. I have informed my team to implement this on a case-by-case basis, as the issue occurs. I will definitely report back with an update on how that goes for us.

Your prior recommendation (to log in as local admin and run VPN client) has been our go-to move (continued thanks for that!). However, this reg key, providing it works for us, would be much simpler to implement globally.

If of any value, I was supplied with link below that provide some details on the change in AnyConnect 4.10.05095 that resulted in the AnyConnect embedded browser defaulting to WebView2 runtime, providing that it's installed. The new registry key above reverts the AnyConnect browser to use the legacy embedded browser control. 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/rel...

I hope this works out as it's been many months!!! Again, thank you for your continued feedback and follow up on this and I'll respond back with our findings.

Sincerely, 
Mike