Cisco Anyconnect VPN not typing full password

Hello Anthony,

I just see that you send us an email and open a forum, that being said here is the information I sent you by email:
When you said that this happen if you run Cisco Anyconnect Manually, you mean when you open the VPN connection in CLI?
If yes, in this case this mean the issue is probably between Cisco VPN and Windows. From RDM we open the VPN through the CLI command.
If they change the CLI or if they do not support anymore the special character in this case we could adjust RDM for these modifications.
Best regards,

Hi Anthony,

I received your email regarding the command line for the VPN connection.

Let's continue via the forum, I'm sorry I talked about a command line but Cisco Any connection isn't only a single command line it's multiple entry one after the other one.

If you start VPNCLI.EXE manually and enter the Host press Enter and Username press enter and finally the Password. Does it work?

Best regards,

Hello Anthony,


I had a chat with another customer and he had the exact same issue as you.


So for information since a Cisco Anyconnect update (4.5.3040.0) and with Windows 10 build 17134.1 the password stop after 1 digit.


We will try to install the latest version of Cisco Anyconnect and I will look with the IT department if we have a Cisco Anyconnect to test.


We will inform you as soon as we reproduce the issue.


Thanks,

Thanks for that.
I have tested manually this morning through the VPNCLI.exe and get the same behaviour.

As soon as I type a character in the password field it fails.

Same here. I have found a VB script to connect using the GUI instead of CLI, but I can't figure out how to execute a script before and after a RDP connection like VPN does.
(scripts attached)

@Bas,

Thanks for this script.

@Everyone

So what I understand is that Cisco Anyconnect new version is "probably" no more supporting credentials sent. I will try to confirm this on our side. But if you have supported plans with then and if you are able to confirm this point, it could be really nice.

That being said, as soon as we know if Cisco doesn't support CLI anymore we could try to integration a new type of connection.

So if you are able to confirm us the "Non-password support" for CLI it could be good, otherwise I will try to confirm it on our side too.

Best regards,

It's more likely a problem of the latest Windows 10 CU (April creators update). The Cisco AnyConnect client cli does work with older versions of Windows.

I agree that it is most likely a windows update. Haven't made any changes to anyconnect.

I have a very basic semi-work around, if you only have a connection or two. Use the attached batch file and change the vpn to custom, pass it $VPN_PASSWORD$ (Requires enabling Allow password in variable under security for each host) for connect and disconnect for disconnect. Replace HOST, USER and PATH\TO with correct values, and the echo 0 line is for group so adjust or remove as needed. %* is used instead of %1 to get special characters, but even with that it still has issues with characters like "&", "", and "|".


I hope this might help someone else until such time that a good solution is found.

Hi David,

Thanks for this information, of course, user who wants to use it needs to know that this will send the password in clear text and for some of them it could be a security issue.

That being said, that kind of issue looks to be related to Microsoft version. They will probably be solved in a Microsoft update.

Best regards,

Hi David,

Same issue here, seems to be a combination of the Windows 10 update and the version of anyconnect.

Hi Paul,

Another customer told me that if they try to fill the credentials outside of RDM (CLI of AnyConnect directly) he still have the issue. Is it the same for you?

If so could you open a support ticket with them and let us know if it's a know bug from their side?

Thanks

Hi David,
When typing or pasting the password manually it works fine, but only in the AnyConnect application.
When I type or paste the password using CLI, immediately after the 1st character (any character) the same behavior occurs as in RDM. You simply cannot enter the full password. :(
We use AnyConnect to support a client, not sure if we can get them to open a ticket at Cisco.

Hi David,
Just tested using credentials from a input script: vpncli -s<c:\temp\connect.txt

connect.txt contains:

connect hostname
username
password


And this works fine.

Hi Paul,

This could be a great work around, I'm attending a conference today and tomorrow. At the beginning of next week I will have a chat with the engineering department to look if we could do something with the solution you found.

Thanks

David, I believe I can confirm the problem is tied to Windows 10 updates KB2504637 and KB4103721 (security update). The Cisco VPN has worked flawlessly for the last 8 to 10 months including yesterday afternoon. After installing the updates last night, the VPN does not work using vpncli.exe. I'm going to try the suggested work around of using the text file for the credentials.


I hope Cisco will provide an update because I have tons of connections and REALLY love using RDM!!

I can confirm that the AnyConnect version 3.1 does indeed work as it should.
You would like to change the line
<BypassDownloader>False</BypassDownloader> to <BypassDownloader>true</BypassDownloader>
in the AnyConnectLocalPolicy.xml file located in folder 'C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client' though
That way, when connecting, the client doesn't automatically update to a newer version, thus restoring the problem.

Thank you. The client requires version 4.4 so I'll have to wait for an update from Cisco or get the workaround working.

Hello
just installed version 4.6.00362 and the problem is not resolved
Any ideas?

Hello everyone,

First I would like to thanks you all for the specific information you found.

Base on this I will open a ticket with Cisco with all the information. And we will be able to evaluate if the issue will be solve by Cisco or if it’s a new « security feature ». With that information I will transfer this to the engineering department to find a solution.

I will informe you for each steps.

Thanks

Hi David,
Were you able to open a ticket with Cisco? This definitely started for me after installing 1803.

edit: I just opened a case with Cisco and will report back on my findings. ticket# 684532082

edit2: this is definately not an RDM issue. I was able to recreate the issue using the VPNCLI outside RDM as well.

Hi,

I had a discussion with Cisco last week and we do not own a support plan. We are purchasing a support plan and after we will be able to open a ticket.

If you already have a support plan with them, do not hesitate to open a ticket at the same time as us.

Best regards,

I spoke with Cisco and they confirmed that this is a bug. they're working on a fix. No indication as to how long it will take to get the update.

Good news,

Thanks for the update

It's officially a Cisco bug now.



Upgrade to windows 10 1803 and password entry returns after one character
CSCvj65286


Description



Symptom:
typing password into AnyConnect from the CLI in Windows 10 1803 fails immediately after entering one character

Conditions:
Upgrade to Windows 10 1803 from any older version of Windows 10
launch clivpn.exe
select tunnel group (if needed)
enter username
password will fail after user types the first character. Workaround:
none
Further Problem Description:
none

As soon as they will solve this issue, if we need to modify our integration please let us know we will do it.

Best regards,

Anyone heard anything further from Cisco on this?

Not only do they need to fix this but they need to hire a web guy! Their web account registration is broken in places... and logging in with an account at Cisco.com doesn't help. What a mess.

OK... update that... maybe it takes a bit for the account to be recognized by their various systems... was finally able to get to the Bug Report through Cisco.com.
"Known fixed releases (0)" :(

We didn't get news on our side, @sbemister did you get any news from the ticket?

Thanks

Hi Guys,
Sorry, they have not sent any updates on this bug. I'll post if I hear anything though.

I believe that I got Cisco to originally open the bug by reporting this issue. I am told that the problem is corrected and that a fixed version will be released at the end of the month.

Hi,

Thanks for the follow up, we will test the next version/update for Cisco AnyConnect 4.6.

Hi,

Any update on this one?

Cheers,

I'm seeing this issue only after upgrading to 13.6.1.0. My version of the VPN client has not changed in a long time. Additionally, on another computer that I haven't upgraded from 13.5.8.0 I do not see this issue.

I see that the PC that doesn't exhibit this issue is Windows 10 1709, while the one that does is Windows 10 1803. I do not want to risk making changes to the PC that works, as I rely quite heavily on VPN cli working correctly.



Is there a direct download of 13.5.8.0 so I can test it on the newer Windows build?

Edit: there's a bug over at the Cisco website.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvj65286

Edit 2: just saw it was linked earlier. Nevermind...

I can confirm that 4.6.01103 (released June 20) does not fix the issue.

Hi,

Base on the Cisco topic the issue have been fixed the 21nd of June. So we need to wait a new Cisco Anyconnect release.

Best regards,

Hello,

I was able work around this Cisco AnyConnect vpncli.exe issue by installing version 3.1.00495 which I downloaded from this site https://www.cera.net/portal/downloads/7/v3100495 I hope this helps until the new version is released. Note: you will need to uninstall any current versions of Cisco AnyConnect before installing the new version. I also had to run through the vpncli.exe manually the first time as it asks you if you want to download and trust the certificate (if you are using the "connect anyway" setting).

Thanks,

Jacqueline

Hello,

Thanks Jacqueline, I just contact Cisco with their ticketing system today again. We should have an answer shortly.

Best regards,

Hello Everyone,

I received a notification from Cisco, we should be able to have a CISCO AnyConnect new version within a month:

Here is what Cisco wrote:

So far I understand that you are having problems with connecting to AnyConnect from the CLI. I do consider you are hitting bug CSCvj65286, internal notes shows that is it already resolved and it is going to be applied on AnyConnect versions 4.6(2025) or 4.6(2053 ). I wouldn't be able to tell when is planned t be release, but I would say that within one month. You can always subscribe to the bug to receive notifications when the fixed realease is published.


Best regards,

Hi,

I just did a follow up with Cisco and they didn't release a new version yet.

The Open bug at Cisco is (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj65286/?rfs=iqvred)

Edit: For users who do not have a Cisco access, joined you could see a print screen.

Best regards,

4.6.02074 (released 08/03) fixes this issue.

@meepzorp,

Have you been able to test this latest release?

Is it working fine with RDM?

Best regards,

@Jeff it does. Yes and Yes.

This is great except I can't get the latest version of Cisco Anyconnect due to all the requirements they have for us to be able to get it off their website.

Nenand,
The maintenance on a Cisco 5506 ASA is only about $100/year. Not sure what firewall you have but, the maintenance isn't really that expensive.

I can confirm that 4.6.02074 fixes the issue on the 1803 build of Windows.

The problem with this arrangement is that the folks using the client software are NOT always Cisco customers themselves. I am supporting clients that have Cisco VPN's (as well as many others). If my client doesn't have a current support contract or for whatever reason doesn't feel like 'updating' (read: spending $100 to fix what is inherently a Cisco issue) then we're the ones stuck dealing with a broken VPN client. That's lousy business on the part of Cisco AFAIC. I'm also disappointed in how long it took them to fix this issue. Not exactly inspiring confidence in the Cisco brand.

Hi Jamieson,

Thanks for your point of view, I also work a lot with MSP company before and I know that in their service contract (not every customer love this) they required their customer to always have router and switch under contract service. In this case the support was easier for them, faster and the customer was protected against attack or security issue on the device.

Thanks

I am having this exact same issue. However being a vendor myself using this to connect I cant get my hands on the latest version. Is there anyone who might have this can post it somehow so we can all get our hands on this cisco anyconnect client?

Hi all, just googled the newest version number 4.6.03049. Luckily there are always company's who provide downloads for their clients.
After I googled https://www.google.nl/search?q=anyconnect+4.6.03049&oq=anyconnect+4.6.03049&aqs=chrome..69i57.4641j1j4&sourceid=chrome&ie=UTF-8

There you will find the site https://www.catpaw2012.net/docs/?p=420

Scanned the download with Virustotal https://www.virustotal.com/#/file/ac91b749ec0cb420eaf3ee40df46f4c3c08ba538d1151891fd05b6a20f556fe4/detection

Updated and problem fixed :)

Hi ..

I too have been having this bug also.

And I confirm that the version of the VPN client mentioned above, does solve the issue.

Thanks for posting it.

Hi everyone


At my company we suddenly found all versions of AnyConnect to work through RDM again yesterday.
We haven't changed anything as far as we know it just suddenly worked when one of my coworkers tried so it may be worth checking it again for those of you who had problems.

- River

I would like to confirm the updating to 4.6.03049 or 4.7 resolves the issue. And give a shout out to PaulPerkooijen, Thank you!!! I had been fighting this for a while and just happened to find this article after searching EVERYWHERE for a resolve.