A user connecting from Vista 64 with the Cisco AnyConnect client was getting a “The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.” error when trying to connect. No changes had been made to the concentrator configuration which is an asa5520 running 8.0(3).
Via ASDM, there was a syslog notification of “SVC Message: 17/ERROR: Unable to successfully verify all routing table modifications are correct.”
Also annoyingly, the license only supports 2 clientless ssl vpn connections and the ssl vpn client appears to use a clientless connection initally which fails to shut down then the ssl client fails to connect, which prevents future logins with not error on the client side due to the licensing.
I found this article which linked the proble to Adobe Photoshop. The user had installed the photoshop trial recently and when he disabled bonjour for windows, which was installed by photoshop, the VPN worked fine.
I installed Bonjour on XP 32bit and could not reproduce the problem. Perhaps it’s a Vista 64 issue. It’s a small enough of an edge case that I don’t think I’ll try to reproduce.
User says: “it had a really odd name #1_Service_name###. it was added when I installed Adobe”
So I just ran into that same issue trying to install AnyConnect on a new Vista x64 machine and this is the only site on the entire internet that appears to have that error message documented.
Sure enough, nuking the bonjour program (whatever it even is) fixed the problem. Glad you decided to write about it or I’d have been really confused.
Glad it helped. This is new I think on that linked article:
The BonJour printing server is the problem, it gets installed with Itunes and countless Adobe products. Just disable the service and it will work just fine. Also some of the Adobe products install the Service name as either “Bonjour Printing Service” or “###(something that begins with that). I would recommend searching the registry for “mdnsresponder.exe” and finding the service name that way.
I tried open up a TAC case requesting that it detect such crap and provide a more useful error message to those users to reduce the number of support calls I get about it. Unfortunately I can’t open TAC cases for serial numbers that I haven’t gotten the contract numbers added to my account yet and I can’t find a simple way to track them down either.
Finally got a TAC case open, Cisco’s working on it:
The problem happens when Bonjour modifies the routing table after we have which would break vpn connectivity. This is why the error pops up. This issue was fixed three days so unfortunately it has not been integrated into a released version of Anyconnect as of yet. We have made changes to work around these third party applications that modify the routing table. This fix should be added to the next release which is due out in a few months.
Here is the bug id: CSCsj91840 – Anyconnect on Vista fails with Apple Bonjour service and wireless
I will go ahead and put the case in a Release Pending state so I can notify you once the new Anyconnect is released.
I wrote back:
Awesome, thanks. I had looked for a bug id a week or two ago but couldn’t find one and had to deal with service contract numbers to get this far. That’s exactly what I’m looking for.
It may be worth nothing that this error happens for my users on connect every time, so it’s not breaking vpn connectivity, it’s just not allowing it. I’ll keep an eye out for that next build.
They replied:
That is by design. The reason it does not allow it is because if it did you wouldn’t be able to pass traffic through the vpn adapter. We also could not guarantee a secure connection is an application modified the routing table after we did. We have to disconnect the connection is a change was made.
If you have a CCO account and are logged in, you can see the bug here.
Here’s the current bug for those that don’t though:
Anyconnect on Vista fails with Apple Bonjour service and wireless
Symptom:
Anyconnect fails with the error ‘failed to verify IP forwarding table modification”
or
‘the VPN client was unable to successfully verify the IP forwarding table modification. a VPN connection will not be established’
Conditions:
Software that uses Apple’s Bonjour networking service cause a conflict:
Software examples
Adobe CS3 software
Apple Itunes on vista while using wireless
Workaround:
To uninstall the Bonjour service:
Refer to Adobe KB article kb4000982, section Removing Bonjour for Windows.
http://kb.adobe.com/selfservice/viewContent.do?externalId=kb4000982
To disable the service:
net stop “Bonjour Service” from command line to temporarily turn of the Bonjour service and then restart it after the tunnel is established.
In the first two suggestions, the Version Cue Servers cannot be automatically discovered. However, you can still access these servers directly by using Connect To Server option and entering the url of the machine.
Or,
Remove Adobe software.
Remove Itunes software
There is a known bug for this issue: CSCsj91840
/Mathias
Yeah. There is now, I already linked to it in this comment.
Unfortunately there wasn’t one back in January. Double unfortunately Cisco’s bug system isn’t index by Google because it requires a CCO account with additional access.
this bug has been fixed in the newest release of AnyConnect 2.2
Ive updated to 64Bit Vista and the VPN client I use from Cisco isn’t supported in 64Bit.
I can’t download Anyconnect from Cisco thus can’t connect to corporate email, tradeoffs continue.
Anybody help me locate Anyconnect 2.2? Cisco is no help to me…
Thanks
dkalaf@mac.com
http://www.demonoid.com/files/details/1454087/5426554/
THANK YOU! This was very helpful, I actually experienced this problem with a computer running Windows XP SP2 connecting with Anyconnect 2.1.0148.
Thanks, this was very helpful and the only place I could find this information.
Thank you! I also could only find this issue explained and resolved here. However, I can’t get the 2.2 software from Demonoid, they are closed for registrations. Anyone have another suggestion for download for me?
Thanks guys. I have anyconnect and updated to SP1 on Vista and it stopped working (Error was “unable to successfully verify the IP forwarding table modifications”).
When I updated to SP1 it also prompted me to update itunes which, obvious to me now, installed Bonjour (French for bye bye VPN). After disabling Bonjour in my services menu, the anyconnect client starting working again.
Once again, thank you very much for the solution!
Hi,
Thanks a lot for putting this note out. I have been struggling for the past 2 days to get this issue fixed. I have this issue even though I am on a 32 Bit vista version. This worked like a charm and is a big relief for me now.
Regards,
Pradeep
Son of a gun. iTunes snuck in a service on me and set up Bonjour. Thanks for your article!
Bill
Thanks. I was having the problem listed above and went to Vistas problem solving site and there were no solutions. Went to Google as my last ditch effort and your site came up. I have ITunes, Vista, and a wireless network (exactly as described) and once Bonjour was disabled AnyConnect worked like a charm.
Shryl
This was a HUGE help and fixed the issue that two of my co-workers were having. We are running XP SP2 and SP3 and one co-worker had iTunes and the other had the Adobe CS3 suite. Thanks for the article!
Apple has fixed this bug in their latest Bonjour image which is pushed to iTunes updater automatically.
I have this issue with windows XP sp1
no adobe or itunes has been installed.
I have two split tunneling statements in my ASA’s group policy config. if i remove one of the statements i can connect but i cannot browse the internet. I can however browse the intranet
help
Disbaling the Bonjour service resolved my issue with the VPN Client too !.. Thank you.
I also received the following message: “The VPN client was unable to successfully verify the IP forwarding table modifications. A VPN connection will not be established.” Thinking I somehow had Bonjour installed, I then searched the registry for “mdnsresponder.exe”. The entry it found was my TiVo Desktop. So I removed TiVo and now everything works. So TiVo is apparently doing the same thing as Bonjour does.
Excellent fix btm! Disbaling the Bonjour service also resolved my issue with the VPN Client.
Many thanks.
Well, I sure wish this was my problem!
I’ve got the same error, but no trace of mdnsresponder in either the registry or the file system, and no obvious Bonjour service. No Adobe products other than reader, and no iTunes.
I do have Vista64, and I do have SP1, so that could be it.
However, the torrent above appears broken, so I can’t download 2.2, and of course there’s nothing you can do from Cisco’s site!
Any more updates would be appreciated!
I am having the same issue as Kevin. I deleted itunes and all other Apple software. Deleted all bonjour on the machine and registry instances of it. Any idea what else could be causing this issue? It worked last semester, but something happened over the summer that caused it to stop working.
I just had this same issue on my CEO’s computer, he did not have Bonjour, CS3 or anything like that, on a Hard wired connection. The only way I could fix the issue was to uninstall the software and then have it reinstall via the firewall.
Kevin,
Go to network & sharing centre, click manage network connection, and locate for cisco anyconnect vpn client connection. Then set up your TCP/IPv4 to obtain ip address automatically and obtain DNS automatically. it works for me after that.
This started happening a lot after we switched all our laptops from XP to Windows 7. Nobody’s running Bonjour or any Adobe product other than Reader. A reboot fixes the problem, but it’s very annoying.
I am facing same issue in Windows 7..some time it worked after reboot but most of the time it does not help…
any solution as its really annoying.
atlast I traced it down for mr.. I was getting the same error and did a search in the registry for bonjour and found that the apple safari was the one causing this I have uninstalled it and now it is working like a charm..! hope this helps atleast someone .. here.