8 November 2021

Troubleshoot Cisco AnyConnect VPN

Solve issues with Cisco AnyConnect VPN

Office of the CIO | Help@IBM

macOS VPN Troubleshoot Guide | Help@IBM

 Troubleshoot
Before you contact the IBM Help Desk,
try to troubleshoot your issue. First,
verify and confirm you have a valid
VPN certificate.

To get started, go to page 3.

Windows VPN Setup Guide | Help@IBM 2

macOS VPN Troubleshoot Guide | Help@IBM
 Verify You Have a Certificate

macOS VPN Troubleshoot Guide | Help@IBM 3

 Verify You Have a Certificate
If you can’t connect to the IBM network with Cisco AnyConnect VPN, verify that you
have a VPN certificate installed.
To do this:
1. From the Launchpad, open Keychain Access. By default, Keychain Access is
located within the Other folder.
2. On the left side of the window, under Default Keychains, click “login,” then click
the My Certificates tab. If you have a VPN certificate, its name is your w3id.
• If you have an expired certificate, delete it, then generate a new certificate.
Start on page 6.
• If you don’t have a VPN certificate, generate a new certificate. For instructions,
go to page 7.
• If you have a certificate but encounter other issues, locate your issue in the
table of contents on page 8, then go to the corresponding page.

macOS VPN Troubleshoot Guide | Help@IBM 4

 Delete and Generate a VPN Certificate

macOS VPN Troubleshoot Guide | Help@IBM 5

 Delete a VPN Certificate
Before you renew your VPN certificate, you need to delete the existing VPN certificate:
1. In Keychain Access, under Default Keychains, click “login,” then click the My
Certificates tab. If you have a VPN certificate, its name is your w3id.
• If the certificate is issued by IBM VPN Intermediate CA, right-click the
certificate, click Delete, then confirm the deletion.
• If the certificate is issued by IBM VPN CA, renew the certificate via the
Mac@IBM App Store. For instructions, go to the next page.
2. If prompted for your Keychain password, enter your Mac login password.

Next, generate a certificate from the Mac@IBM App Store. For instructions, go to the
next page.

macOS VPN Troubleshoot Guide | Help@IBM 6

 Generate a VPN Certificate
To generate or renew your certificate:
1. Launch the Mac@IBM App Store.
2. In the search bar, enter Renew VPN.
3. Under Renew VPN, click Renew, then click Renew again.
4. A window asks you to confirm your username. Confirm your username is your
w3id, then click Continue.
The process is complete when a new VPN certificate appears in Keychain Access’
“login” section. The new certificate is issued by IBM VPN CA.
If a certificate doesn’t appear within 15 minutes, open the Mac@IBM App Store and
search for Update Mac@IBM Status. Click Update, then click Update again. This
helps with the delivery of your certificate.

After you receive the certificate, you can connect with Cisco AnyConnect VPN.

macOS VPN Troubleshoot Guide | Help@IBM 7

 Locations Missing 9
Find the Issue
“Hostscan is Waiting for Next Scan” 11

Locate the issue you’re experiencing in Can’t Access IBM Resources 13

the table of contents, then go to the
Password Prompts 15
corresponding page.
Domain Name Resolution Error 17
If your issue isn’t in the table, contact
Appendix 19
the IBM Help Desk for support.
Need help 21

macOS VPN Troubleshoot Guide | Help@IBM 8

 Locations Missing

macOS VPN Troubleshoot Guide | Help@IBM 9

 Locations Missing
If locations are missing from the Cisco AnyConnect drop-down list, you can attempt
to connect manually. In the drop-down list field, enter a gateway address (refer to
page 20).

If you still can’t connect, try to reinstall Cisco AnyConnect:

1. Open the Mac@IBM App Store.
2. Search for Cisco AnyConnect.
3. Locate Uninstall Cisco AnyConnect, then click Uninstall. Click Uninstall again.
4. Cisco AnyConnect uninstalls. In the Mac@IBM App Store, search for Install Cisco
AnyConnect.
5. Under Install Cisco AnyConnect, click Install, then click Install again.
6. Cisco AnyConnect installs. Open Cisco AnyConnect, then try to connect to a
location.

If you need support, contact the IBM Help Desk.

macOS VPN Troubleshoot Guide | Help@IBM 10

 “Hostscan is Waiting for Next Scan”

macOS VPN Troubleshoot Guide | Help@IBM 11

 “Hostscan is Waiting
for Next Scan”
If Cisco AnyConnect doesn't proceed
past the "Hostscan is Waiting for Next
Scan" message, try to delete and
renew your certificate. For
instructions, go to page 5.

If you still can’t connect, contact the

IBM Help Desk.

Windows VPN Setup Guide | Help@IBM 12

macOS VPN Troubleshoot Guide | Help@IBM
 Can’t Access IBM Resources

macOS VPN Troubleshoot Guide | Help@IBM 13

 Can’t Access IBM Resources
If you can’t access internal services, check for connection issues:
• Confirm you have internet connectivity.
• Confirm you don't have other VPN clients running. Disconnect any other VPN clients.
• Confirm your hostname works correctly by trying to open a different internal website
(e.g., w3.ibm.com). If no internal websites work, disconnect from Cisco AnyConnect,
then connect again. If you’re still unable to connect, manually enter a different
gateway address in the drop-down list field (refer to page 20).
• Ensure that you can ping the gateway host. First, disconnect from your VPN. Next,
open a Terminal window and issue the command ping sasvpn.x.ibm.com, where x is
your geography’s gateway address (refer to page 20). If you can't ping the server,
disconnect from the Wi-Fi or from your Ethernet connection. Then, reconnect in the
same way or try connecting to a different network and try connecting to the VPN
again.

If you still have connection issues, contact the IBM Help Desk.

macOS VPN Troubleshoot Guide | Help@IBM 14

 Password Prompts

macOS VPN Troubleshoot Guide | Help@IBM 15

 Password Prompts
After upgrading Cisco AnyConnect, you might
receive multiple prompts to enter your Mac
password. If this happens, verify the location
you're connecting to when you start Cisco
AnyConnect. If you're connecting to a
manually entered gateway address (e.g.,
sasvpn.boulder.ibm.com), select a location
from the drop-down list and try to connect
again. You might be prompted for your
password again; click Always Allow.

If you continue to receive password prompts,

contact the IBM Help Desk.

Windows VPN Setup Guide | Help@IBM 16

macOS VPN Troubleshoot Guide | Help@IBM
 Domain Name Resolution Error

macOS VPN Troubleshoot Guide | Help@IBM 17

 Domain Name Error
The "The VPN connection failed due to unsuccessful domain name resolution" error
indicates you're already on the IBM network. If you're in an IBM office, you might be
connected to the IBM Wi-Fi or using a wired Ethernet connection. If you're at a remote
location, you might already be connected with another VPN.

To test your VPN connection:

1. Disconnect from the IBM Wi-Fi or from your wired Ethernet connection.
2. Connect to a different network (e.g., IBMInternet Wi-Fi).
3. Open Cisco AnyConnect and click Connect.

If you still receive the error, contact the IBM Help Desk.

macOS VPN Troubleshoot Guide | Help@IBM 18

 Appendix

macOS VPN Troubleshoot Guide | Help@IBM 19

 Gateway Addresses
Location Gateway Address

AMERICA sasvpn.raleigh.ibm.com

AMERICA-FAST sasvpn.boulder.ibm.com

AP-ASEAN sasvpn.au.ibm.com

CHINA sasvpn.cn.ibm.com

EUROPE-MEA sasvpn-fast.emea.ibm.com

INDIA sasvpn.in.ibm.com

JAPAN sasvpn.jp.ibm.com

macOS VPN Troubleshoot Guide | Help@IBM 20

 Need help?
If you still need help, contact the
IBM Help Desk. Ask your manager
if you need the telephone number.

macOS VPN Troubleshoot Guide | Help@IBM 21