Anyconnect Network Access Manager

Cisco Anyconnect Network Access Manager Service Not Starting
Cisco Anyconnect Network Access Manager
Anyconnect Network Access Manager

Environment:

My customer is using Cisco AnyConnect not just as VPN client, either for NAC (Network Admission Control) aka. 802.1x authentication. That means, without this AnyConnect software and other requirements (ex. certificate), the workstation is not able to access to the corporate network. So it’s a NOGO, if this client during the upgrade (software/OS) process is not working properly.

Situation:

Following issue has been realised during the Windows 10 feature upgrade (1511 –> 1607). But we had the same problem when the AnyConnect client has to be updated (4.4.04030 –> 4.5.02036) regarding the Krack vulnerability.

The AnyConnect module being discussed here is the network access manager (NAM), which performs 802.1x functions for endpoints onboarding to the internal network. The reconnecting / reauthentication is not the same as VPN access. So it sounds like your question is related to the AnyConnect core remote access VPN functions. Cisco and IT training in the Fast Lane! Uninstall: MSI - Cisco AnyConnect Network Access Manager - Windows. Log In or Register to download the BES file, and more. This task will uninstall the MSI: Cisco AnyConnect Network Access Manager.

Issues:

Some Windows 10 clients had a BSOD during the feature upgrade from version 1511 to 1607. Hereby, the upgrade parameter /MigrateDrivers all has been used.
Cisco AnyConnect client couldn’t be updated from version 4.4.04030 to 4.5.02036. Hereby, the precise issue is, the Network Access Manager Filter Driver (3.1.6010 –> 4.3.5009) couldn’t be renewed.

Workaround by Cisco:

We opened an official Cisco ticket to solve this issue. They mentioned, the software upgrade process has to be straight forward. It means, uninstall old version of AnyConnect client –> reboot the client –> install the new client version –> reboot the client.

It’s not working correctly, because the old driver cannot be uninstalled successfully. The new software version can be installed without any issue, but under the hood the driver cannot be renewed.

Anyway, this workaround is not really a good option in our case. Because as I said, without this AnyConnect client the workstation is definitely offline and ex. cannot continue any software deployment process.

Resolution:

Copy the AnyConnectFix.ps1 script locally

</div><div><table><tbody><tr><td><div><div>2</div><div>4</div><div>6</div><div>8</div><div>10</div><div>12</div><div>14</div><div>16</div><div>18</div><div>20</div><div>22</div><div>24</div><div>26</div></div></td><td><div><div><span>[</span><span>string</span><span>]</span><span>$acdriverpath</span><span>=</span><span>$</span><span>{</span><span>env</span><span>:</span><span>ProgramFiles</span><span>(</span><span>x86</span><span>)</span><span>}</span><span>+</span><span>'CiscoCisco AnyConnect Secure Mobility Clientdrv'</span></div><div><span>#-----------------------------------------------------------------------------------</span></div><div><span>Stop-Service</span><span>nam</span><span>-ErrorAction</span><span>SilentlyContinue</span></div><div><span>#Move wrong NAM driver</span></div><div><span>Move-Item</span><span>-Path</span><span>(</span><span>$env</span><span>:</span><span>windir</span><span>+</span><span>'system32driversacnamfd.sys'</span><span>)</span><span>-Destination</span><span>(</span><span>$env</span><span>:</span><span>systemdrive</span><span>+</span><span>'Temp'</span><span>)</span><span>-ErrorAction</span><span>SilentlyContinue</span></div><div><span>#Copy correct NAM sys file</span></div><div><span>Copy-Item</span><span>(</span><span>$acdriverpath</span><span>+</span><span>'acnamfd.sys'</span><span>)</span><span>-Destination</span><span>(</span><span>$env</span><span>:</span><span>windir</span><span>+</span><span>'system32drivers'</span><span>)</span><span>-ErrorAction</span><span>SilentlyContinue</span></div><div><span>#Copy correct NAM dll file</span></div><div><span>Copy-Item</span><span>(</span><span>$acdriverpath</span><span>+</span><span>'acnamfdbctl.dll'</span><span>)</span><span>-Destination</span><span>(</span><span>$env</span><span>:</span><span>windir</span><span>+</span><span>'system32'</span><span>)</span><span>-ErrorAction</span><span>SilentlyContinue</span></div><div><span>#Start NAM service</span></div><div><span>&</span><span>$exe</span><span>/</span><span>F</span><span>/</span><span>LM</span><span>/</span><span>V</span><span>/</span><span>PATH</span><span>'$acdriverpathacnamfd.inf'</span></div><div><span>#Disable scheduled task</span></div><div><span>Get-ScheduledTask</span><span>-TaskName</span><span>'Enable Net Adapter'</span><span>|</span><span>Disable-ScheduledTask</span><span>-ErrorAction</span><span>SilentlyContinue</span></div><div><span>#Reboot force</span></div></div></td></tr></tbody></table></div></div></li><li>Create a scheduled task which has to be run with highest privilege after the first startup where the workstation is offline.</li><li>Install Cisco AnyConnect Secure Mobility Client (maybe you have to kill first the <em>VPNUI.EXE</em> process).<ul><li>copy VPN service profile</li></ul></li><li>Install Cisco AnyConnect Network Access Manager.<ul><li>copy NAM profile</li></ul></li><li>Unregister old NAM driver (ACNAMFD.SYS) with the following script<br /><div><div><textarea wrap='soft' readonly='>#Define variables [string]$acdriverpath = ${env:ProgramFiles(x86)} + 'CiscoCisco AnyConnect Secure Mobility Clientdrv' [string]$acnamfdsys = Select-String -Path '$env:windirinf*.inf' -pattern acnamfd.sys | Select-object -first 1 | select -ExpandProperty Path [string]$exe = '$acdriverpathacnaminstfd.exe' #----------------------------------------------------------------------------------- & $exe /U /D /V /PATH '$acnamfdsys'

[string]$acdriverpath=${env:ProgramFiles(x86)}+'CiscoCisco AnyConnect Secure Mobility Clientdrv'

[string]$acnamfdsys=Select-String-Path'$env:windirinf*.inf'-patternacnamfd.sys|Select-object-first1|select-ExpandPropertyPath

#-----------------------------------------------------------------------------------

Configure Wired AutoConfig (Dot3svc) service start for demand.
Configure Cisco AnyConnect Network Access Manager (nam) service stat for auto.
Configure Cisco AnyConnect Network Access Manager Logon Module (namlm) service stat for auto.
Install Cisco AnyConnect Diagnostic and Reporting Tool
Reboot
- Starting the AnyConnectFix.ps1 upgrade script at the startup
Unregister scheduled task and cleanup the left-over files

This workaround has been officially confirmed by Cisco.

Microsoft case:

Cisco Anyconnect Network Access Manager Service Not Starting

For this case Cisco has involved Microsoft as well, because Cisco said, ‘it’s an operating system issue‘. As I have already heard many times…

“… if a migration has every occurred on the machine, numerous artifacts are left behind which will interfere with subsequent installs or upgrades of the AnyConnect VPN’s (or any VPN for that matter). The combination of various keys varies and cleaning some of them will sometimes work.

For example, we see at least 3 scenarios:

ACNAMFDBCTL.DLL is not removed or unregistered.
ACNAMFD.SYS is not removed and service remains active
VPNVA is not removed and service remains active (sometimes not active but present)
Or any combination of the above (this is what made this complex since the repro was not consistent and varied between machines… what works for one machine may fail on another).

Each of these will cause a failure of subsequent installs of AnyConnect….”

Conclusion:

Cisco Anyconnect Network Access Manager

Both cases are still open, but our “self designed” upgrade process, we can detect the correct version of each software components and which is more important, the correct NAM filter driver has been successfully registered. It has to be used as workaround, but our Cisco AnyConnect client upgrade for more than 1’400 workstations has been worked properly.

Anyconnect Network Access Manager

Our customer is happy –> we are happy!