I’m having issues with Cisco AnyConnect not wanting to connect after going through SAML Authentication. I get an error saying my “hostname” can’t currently handle this request.
This happens more times then not, but I have seen an error where it loads passed the white screen & it says I’m now connected, but I’ll get another error saying ‘the secure gateway has rejected the connection’ after clicking accept.
& then other times it works with no issues when I don’t do anything differently. I currently have a case open with Meraki & our IdP but no solution as of yet. Microsoft support did say they were receiving more & more of these errors & are still looking for the cause. I’m wondering if anyone else has heard something different or figured out a fix to all this?
EDIT we’re currently running version 5.1.1.42 of AnyConnect.
See this post.
https://www.reddit.com/r/Cisco/comments/1cgsa1r/cisco_anyconnect_saml_ms_azure_issue/
I can confirm the fix works. Issue is due to a Chromium 124 update. Impacts Edge and Chrome, regardless of your configured default browser.
Had this same issue and opened a TAC case. It was fixed after going in regedit HKEYLOCALMACHINE/SOFTWARE/POLICIES/MICROSOFT/EDGE and adding a key labeled “WebView2” and adding a DWORD to it labeled PostQuantumKeyAgreementEnabled and setting value to 0.
I had one ASA on 9.8.4.35 and a bunch of ASAs on 9.16. the only device that gave me this issue was the 9.8.4 box. It got pretty bad where most uses could t connect at all, so I upgraded the 9.16. whatever the latest version that is recommended in regards of the latest CVE’s and it’s fixed the issue so far. We’re on day 3 or so, and no reported issues. We didn’t push the reg fix either. I had a feeling it was a default browser issue as I was never seeing this issue with Firefox.
I just saw a thread where someone had this exact same problem. There is a reg key that you have to alter on the endpoints so they choose IE instead of edge. If you do some googling you should be able to find the thread.
Glad I stayed with NPS w/ MFA ext. Something to be said for simplicity
You could also deploy the Secure Client embedded browser. Its only purpose is to be the browser that Secure client (AnyConnect) uses for SAML and MFA. I have done it this way as my users preferred the look of it over Chrome or Edge spawning a new tab that they had to close on login and logoff.
Every time I try that registry change, I get an error message saying ‘CSRF token Verification failed’
I removed the change & now I’m currently connected to the VPN. I’m checking now if it’s a problem with IE on my computer.
