Cisco AnyConnect VPN (SSL VPN Software) was throwing “Failed to install and start agent. Installation has failed.” on me after logging in but before connecting (which was failing). I ended up randomly trying to go to the https site in firefox and it threw an error about the ssl certificate, some random number that was pretty meaningless.

This inspired me to go to ASDM, Configuration, Remote Access VPN, Advanced, SSL Settings and under certificates remove the certificate I was using for the interface. This problem went away! I have no idea what it didn’t like about the certificate. It would have been nice if it said something about this though. Seeing some errors about the client trying to access “https://ipaddr/CACHE/stc/1/VPNManifest.xml” is actually what got me playing around with the browser otherwise the only readable errors in the event log (the software makes it’s own section in the event viewer) is “WINDOWS_ERROR_CODE”. Nice. The debugging in ASDM wasn’t helping much either.

After that I was getting a bit further but failing and this time ASDM which was set to logging debugging was giving me a “TunnelGroup GroupPolicy User IP No address available for SVC connection” error. This turned out to be because I was using dhcp-server on the policy and pointing it at the broadcast address. This had worked for other cisco gear in the past. I watched the DORA process using wireshark on a server and saw that it was just repeating the discovers and offers over and over. When I changed dhcp-server to point at the unicast address for the server, the connection finally worked.