Troubleshoot Client-Based Zero Trust Access
Pre-Enrollment Errors
| Error | Description | Condition |
|---|---|---|
| Cannot begin enrollment | Cannot begin enrollment. Contact your IT help desk about these errors. | Occurs when there is a KDF, DHA, or TPM error or some combination. |
| Device registration error | An issue with the Device Desktop occurred. Contact your IT help desk. | Occurs when Duo desktop is not installed, is not running, or is non-responsive. The user is asked to ensure that the app is running or contact IT help desk for assistance. |
| Server certification error | Error initiating enrollment | Client is unable to verify the proxy server certificate. |
| Cannot connect to DHA | Occurs when the client is unable to communicate with the Device Health application because DHA is not installed. |
Enrollment Errors
| Error | Description | Condition |
|---|---|---|
| Certification enrollment error | Occurs when the certificate does not install in the background during enrollment. The certificate is required for Zero Trust Access to work properly. | |
| No network connection | Occurs when the user doesn’t have an active or working internet connection (wired or wireless). | |
| User auth error during enrollment | Error initiating enrollment. Contact your IT help desk. | Occurs when the user has provided an invalid email address or password (or both). The system is unable to verify the user's credentials. |
Post-Enrollment Errors
| Error | Description | Condition |
|---|---|---|
| Network not allowed | Your organization requires you to be on an authorized network to log in. | Occurs when a private resource is not configured to allow Zero Trust access. Also occurs when the destination is not a configured private resource, but rather is an IP address that was typed directly into an access rule. |
| User IP address block | Your organization requires you to be on an authorized network to log in. | Occurs when the system is configured to allow access only from specific IP addresses, and the user is trying to access private resources from an unapproved IP address. |
| Application blocked for everyone | Location not allowed. Your organization requires you to use a different operating system. Contact your IT help desk. | Occurs when the user did not match any rule and was blocked by default or when a rule was not created to allow access to the application. |
| User blocked implicitly | Location not allowed. Your organization requires you to use a different operating system. Contact your IT help desk. | Occurs when the user did not match any rule and was blocked by default or when a rule was not created to allow the user access to the application either directly or via a group. |
| Time-based application block | You do not have permission to access this application at this time. Contact your IT help desk. | Occurs when the user does not match any rule and was blocked by default or the application does not allow access at this time. |
| User IP block | Location not allowed. Your organization requires you to use a different operating system. Contact your IT help desk. | Occurs when the user is using an unauthorized device to access; the user’s credentials aren’t associated with the IP or with that device. |
| User blocked explicitly | Location not allowed. Your organization requires you to use a different operating system. Contact your IT help desk. | Occurs when the user is blocked by a rule that denies access or when the user does not have permission to connect or access the resource. |
| Access protocol block | Location not allowed. Your organization requires you to use a different operating system. Contact your IT help desk. | User does not have permission to connect to the resource using the current protocol. |
| User location block | Location is not allowed. | Occurs when the user did not match any rule and is blocked by default or when the user is not allowed access to the application from their current location. |
| Cannot connect to DHA | Occurs when there is no response when the client tried to communicate with DHA. |
Requests to Reauthenticate
If an end user is offline for an extended time, for example on vacation, Secure Access may prompt the user to reauthenticate in order to restore access to private resources. This is normal and expected.
Requirements for Secure Client with Zero Trust Access <Troubleshoot Client-Based Zero Trust Access Errors > Manage Virtual Private Networks on Cisco Secure Client
Updated about 1 month ago