SARA/Anyconnect Troubleshooting Version 15.04.

07
This document outlines some basics about SARA/AnyConnect and includes some self-help solutions.
***Important - 2015 SARA/Anyconnect users require an active Identity Guard account in order to log into SARA
What is IdentityGuard, Why do I need it?

How Do I Connect to SARA/Anyconnect?

Are you authorized to use SARA/Anyconnect?
Do you have the most recent software version?
Register for IdentityGuard and install Entrust IdentityGuard Mobile on your device
Steps to connect to SARA

Having Problems? Where are you at?

Sprint Building
Home or Remote Location Network
Verify You Have a Working Internet Connection
Wireless Connection Problems
Laptop WIFI switch
Dell 620/630
Dell Latitude E6400
HP EliteBook 8440P
Toshiba Protg R830 and R930
Network Cable Connection (Not Wireless)

Common SARA Errors

Enter an Access code from your Entrust IdentityGuard Mobile Application
Connection has timed out. Please verify Internet Connectivity
Could not connect to Server. Please verify Internet Connectivity and Server Address
Unable to contact the Security Gateway 403
Password is Expired
Passwords do not match
Authentication Failed (during password change)
Authentication Failed (During SARA Login)
Login Denied: Your workstation does not meet the minimum requirements
Connection Attempt Failed. Please Try Again
The VPN connection failed due to unsuccessful domain name resolution
SARA has determined that your login has not been setup for rights to SARA
The VPN Client failed to establish a connection
The secure gateway has rejected the connection attempt
Secure VPN Connection terminated by Peer. Reason 433
The VPN client driver encountered an error

Certificate Errors
SARA/AnyConnect/IdentityGuard Login Problems

How to Login to SARA/Anyconnect BEFORE you log into your computer

Still Having Problems?

What is Identity Guard? Why do I need it?
With the increase of highly publicized corporate security breaches, Sprint Corporate Security has required extra
security to minimize risks to our network. For more information, go to http://idginfo.corp.sprint.com

In order to access the Sprint Network via SARA, you MUST HAVE the following:
A Sprint Assigned Laptop/Desktop
An Active SARA Account Requests can be made from http://sara.corp.sprint.com
An Active IdentityGuard Account Register at https://idg.sprint.com/idg
Entrust IdentityGuard Mobile Application installed and configured on ONE mobile device (Phone or
Tablet) OR an Entrust Hard Token KeyFob / Smart Card (supplied by the Identity Guard team under
certain circumstances, see http://idginfo.corp.sprint.com for information/instruction)

How does it work? After you log into SARA with your AD credentials, youll be prompted for an access code.
You will then go to the device (phone/tablet) that youve installed Entrust IdentityGuard Mobile (OTP), open the
application and enter the security code it displays. If the code passes, youll have access to the Sprint network.

If you lose your phone/tablet, you can still connect to SARA by obtaining a 1-Time PIN, to get this code, go to
https://idg.sprint.com/idg and follow the instructions for temporarily misplaced the device.

If you get a new phone/tablet and want to use that for Entrust IdentityGuard, go to https://idg.sprint.com/idg
for instructions on setting up your new device with IdentityGuard
Note: Youll also need to install the Entrust IdentityGuard Mobile on the new device).

For more information, go to http://idginfo.corp.sprint.com

How Do I Connect to SARA/Anyconnect?

Are you authorized to use SARA/Anyconnect? To be eligible for SARA/Anyconnect, you must
a. Have a Sprint Computer
b. Have an ADID
c. Request Access for SARA
Exempt Employees including Salary Plus Yes, no approvals required
Non-Exempt Employees, Contractors and Approval required, your Sprint Manager should go to
Vendors http://clickit and search for Remote Access: VPN
Request and Support to submit a request.

d. Register for IdentityGuard AND have Entrust IdentityGuard Mobile application installed on a mobile
device OR have a hard token that youve received from Sprint.

Upgrade/Reinstall SARA/AnyConnect: Cisco Anyconnect is installed on all Sprint images, Make sure you have the
most recent version. If youre getting errors with SARA/Anyconnect, the single most important thing you can
do is to reinstall/upgrade the Anyconnect program from http://easi .
WARNING!!! : MOKAFIVE LIVE PC USERS If you use Mokafive Live PC virtual machine, you should NEVER
uninstall/reinstall/upgrade Anyconnect within Mokafive. If youre having Mokafive Anyconnect issues, submit
a Mokafive ClickIT ticket.
**Almost ALL SARA/Anyconnect issues are resolved by simply reinstalling**
a. From the Sprint Network, go to http://easi
b. Search for Anyconnect
 c. Locate the version of AnyConnect Secure Mobility Client
d. Install it to your system

How do I know if Cisco AnyConnect is installed? It can potentially be located in two places, the most
common is.Click on Start, All Programs, Sprint SARA..

Other installations may have it here.Click on Start, All Programs. You should see a Cisco folder with
Cisco AnyConnect Secure Mobility Client similar to this, make sure you have the most current version.

You can also look in the system tray (usually lower right corner of your desktop window next to the
system clock). You should see a Globe icon, this is what you click on to start SARA/Anyconnect

If you dont see this icon, reboot your system and it should appear in the systray, if its still not there,
click Start / All Programs / Sprint SARA / Anyconnect and it will then start and appear in the systray.

The Cisco Anyconnect Login Window looks like this.

Register for IdentityGuard and install Entrust IdentityGuard Mobile on one device
For information on IdentityGuard, go to http://idginfo when youre on the Sprint Network.
The website to register/administer your IdentityGuard Account is https://idg.sprint.com/idg
1. Steps to connect to SARA/Anyconnect - Verify you have a working Internet connection - SARA/Anyconnect does not
create a connection to the Internet. Your laptop must already be connected to your home/hotel/remote location
network or other Internet Service Provider to use SARA/Anyconnect.

How do I know if Im connected to the Internet? Before you attempt to connect to SARA/Anyconnect,
open your Internet Browser and try to access a familiar website like www.bing.com or www.google.com.
If you cant connect to these sites, you wont be able to connect to SARA. You should recheck your
laptops connections to the remote network.

Using an Aircard and Mobile Hot Spot? Connect to it first before trying SARA/Anyconnect. 3G/4G
performance will lag compared to the Sprint Enterprise Network. If youre using an aircard or mobile
hotspot, even with good 3G/4G coverage, certain applications will have slow performance issues. Those
that require significant amounts of bandwidth will have difficultly functioning (Sprintcast, Streaming
Videos, Lync Call Quality and Screen Sharing)

2. Starting SARA/Anyconnect There are two ways

a. Click on Start, All Programs, Sprint SARA , Cisco AnyConnect Secure Mobility Client .

b. You can also look in the system tray (usually lower right corner of your desktop window next to the system
clock). You should see a Globe icon, this is what you click on to start SARA/Anyconnect

3. Click on the Connect button on the login screen.

4. Login using your ADID and Password.. If you dont remember your password or it has expired, youll need to contact
your manager to reset it using the Password Management Portal. The ESC does not reset AD passwords.
5. Enter an Access Code from your Entrust IdentityGuard Mobile Application Beginning 2015, SARA users are required
to use Entrust IdentityGuard as a second level of security to access SARA. Open the Entrust IdentityGuard Mobile
application on your device or token and enter the security code displayed on the screen.

6. Click Accept when the Authorized Use Window appears Your connection will disconnect within a few minutes if
this window is not accepted.

7. Thats it! Youre connected!! How can you tell?

a. You should be able to access Sprint websites, just as if you were in the office
b. The AnyConnect icon in the system tray will have a lock on it
Having Problems? Where Are You At?

Sprint Building
If youre at a Sprint location and connected to the Sprint Enterprise Network, you will not be able to connect to
SARA/Anyconnect. You must be connected to your home/hotel/remote location guest network to use SARA.

Upgrade/Reinstall SARA/Anyconnect: The most important thing you CAN do from a Sprint network location is to
reinstall/upgrade the SARA/Anyconnect program from http://easi . Almost ALL issues with SARA are resolved by
simply reinstalling and rebooting.

Home or Remote Location Network

1. Verify You Have a Working Internet Connection:
Before you attempt to connect to SARA/Anyconnect, open your Browser and access a familiar website like
www.bing.com or www.google.com. If you cant connect to these sites, you wont be able to connect to SARA.

Wireless Connection Problems?

Click on the Wireless Network icon and make sure youre connected to the correct WIFI network
name for your home/hotel/remote location (See Below)

If youre at a Hotel or a Non-Sprint company location, contact their IT department for assistance
connecting to their network.
If youre at home, check to see if other computers have an internet connection
o If No, contact your internet service provider for assistance.
o If Yes, make sure your Sprint laptop is connecting to home network.
o Restart your laptop and try to connect again
o Cycle the power to your router and/or cable modem Allow them time to reset before
trying again.

Make sure your Laptops WIFI Switch is On.

o If your system isnt detecting wireless networks, your WIFI may be turned off. Sprint
laptops have a wireless switch than enables WiFi connectivity. If this switch is turned off,
you wont be able to connect to a wireless network
o These are just a few laptop models listed here as examples for assistance in enabling
your WiFi. If your laptop model is not listed here, then please refer to your laptops User
Manual or online documentation.
 Dell D620/D630: Enable the WiFi Using the Switch.

1. Off WiFi Disabled.

2. On WiFi Enabled.
3. Scan Searching For WiFi Networks.
4. WiFi Light (Disabled).
If unable to connect to WiFi, ensure the WiFi switch is in the 2 position.

Dell Latitude E6400: The WIFI switch is on the right side of the laptop above the headset jacks.

HP EliteBook 8440P: Enable the WiFi card by following the diagram and instructions below.

If the light is amber the WIFI connection is disabled. The following diagram and instructions to
assist you in enabling the WiFi interface...
 Toshiba Protg R830 and R930: Enable the systems WiFi by following the diagram and
instructions below.

Network Cable Connection (Not Wireless)

i. Reseat your cable connection
ii. Reboot your computer
iii. Power off your router and/or cable modem, then power back on (This also applies if you have a
Sprint Aruba router). Allow them time to reset before trying again.
2. Common SARA/Anyconnect Errors

Enter an Access code from your Entrust IdentityGuard Mobile Application

This is not an Error Message, beginning 2015, all SARA users are required to be registered for
IdentityGuard AND have Entrust IdentityGuard Mobile installed on a device or token. When you get this
message, you must open Entrust IdentityGuard and enter the security code displayed to continue. For
information on IdentityGuard, go to http://idginfo on the Sprint Network. To register for IdentityGuard
and account administration, go to https://idg.sprint.com/idg

Connection has timed out. Please verify Internet Connectivity

Could not connect to Server. Please verify Internet Connectivity and Server Address
Unable to contact the Security Gateway 403
Any of these messages mean your system is either already connected to the Sprint Network (try to
access http://Iconnect.corp.sprint.com to verify) OR youre connected to a network that does not have
connectivity to the Internet, OR you dont have any internet connectivity at all.
a. Note: You cant connect to SARA/Anyconnect if youre already connected to the Sprint Enterprise
Network
b. If you have a working internet connection, you should be able to access an external site like
www.google.com without logging into SARA/Anyconnect. If you cant, youll need to check your
laptops connection to the remote network. Go to Home or Remote Location Network for more
assistance.

Password has Expired

Your AD domain password is expired and you need to change it. AnyConnect has the ability to allow you
to change the AD password remotely, BUT once you do, remember that you need to press CTRL-ALT-DEL,
lock your computer, then unlock it with your new password or youll get locked out. You also need to
remember to update your password on any mobile applications that use the AD domain credentials.

Passwords do not match

Youll get this message when youre trying to change your AD password and the new and verify password
fields do not match. Carefully enter your password change again.

Authentication Failed (during password change)

 If you get this message when youre trying to change your AD password, it means your new password
does not meet the requirements for the Sprint network. Create a different password to use.

Authentication Failed (During SARA Login)

Youve entered the incorrect password for the Sprint AD domain. Check your password and try again. If
the issue persists, your AD account may be locked out (If you wait 30 minutes, it will unlock and you can
try again). If still not working, contact your manager to reset your AD password via the PMP website.

You could get also this message if your IdentityGuard Registration is not complete. To verify both your
AD credentials and IDG, go to https://idg.sprint.com/idg and attempt to login.
If the site accepts your AD Credentials, you do NOT have an AD password problem, it should
then prompt you for your security code.
If the site does not prompt you for the security code, your IDG registration is incomplete. You
may be able to continue and complete the registration on the website. Then try SARA again.

Login Denied: Your workstation does not meet the minimum requirements for Sprint Network connectivity.
Your computer is failing the security checks done when you log into SARA. A common issue is Symantec
Endpoint Protection (SEP) isnt running on your system or has outdated virus definitions.

To remedy this, make sure that SEP (yellow shield is running in the system tray) . If it is not running,
you can attempt to manually start it by:
Press CTL-ALT-DEL and bring up the task manager
Click on the Service Tab
Click on the Description column header to sort services alphabetically
Look for the Symantec services, there should be three (3)
If any Symantec services show stopped status, right click that service and select Start Service
When all Symantec services are running, close the task manager and try SARA again
If the Yellow Shield is present, double click and run Live Update to update virus definitions.
If you still get the error, reboot and login into SARA BEFORE you log into the machine, click here
for instructions
If the issue persists, take the laptop to a Sprint walk-in clinic / location for examination, submit a
Clickit Symantec Endpoint Protection: Virus Software Support ClickIT Ticket.

Connection Attempt Failed. Please Try Again

There may be a problem with the SARA.xml File Encryption. You can attempt to fix it by
1. Click on Start, then Computer
2. Double Click on C:, then Program Data > Cisco > Cisco AnyConnect Secure Mobility Client > Profile
Note: The Program Data folder is usually hidden, to make it visible.
a. Click on Organize,
b. Click Folder and Search Options
c. Click on the View Tab
d. Click on Show Hidden Files, folders and drives
e. Click Ok, now you should be able to see the Program Data folder.
3. Locate the Sara.XML file, if it is Green in color, right click the file and select Properties
4. Click the Advanced Button
5. Remove the check mark from Encrypt contents to secure data
6. Click OK, then OK again.
7. Close AnyConnect and Restart AnyConnect
 The VPN connection failed due to unsuccessful domain name resolution
This message usually indicates a problem with your network or local Internet Service Provider (ISP). Try
rebooting your home network equipment and computer. If the error persists, contact your local ISP.
SARA has determined that your login has not been setup for rights to SARA
The VPN Client failed to establish a connection
The secure gateway has rejected the connection attempt
Secure VPN Connection terminated by Peer. Reason 433
If you receive any of these messages, you havent been provisioned for SARA access or your access has been
suspended for some reason. In either case, you should submit another access request at
http://sara.corp.sprint.com or open a ClickIT SARA Support ticket.

The VPN client driver encountered an error

Theres an issue with AnyConnect client software. Try rebooting the computer. If the issue persists, you will need
to uninstall/reinstall AnyConnect from Software Center. Open Software Center, Installed Software, Select Cisco
AnyConnect and uninstall. Reboot the computer, then reopen Software Center, Available Software and install
AnyConnect.

Note: If youre remote and AnyConnect is not installed/working on your system, you will need to take
your computer to a PC Walk-In Clinic or Sprint location to install it/contact the ESC Helpdesk.

Certificate Errors
General Information In order to connect to the Sprint network, all Sprint systems have a machine certificate
that is valid for one year. Within six weeks of expiration, the computers certificate will be automatically renewed
as long as the system is on the network or connected via SARA/Anyconnect. You may see periodic warnings that
the certificate will expire, but as long as the system has been
1. Previously connected to the Sprint Network in the last 30 days and
2. Is connected for at least 90-120 minutes, the certificate should automatically renew. No
action is necessary on your part. You wont see any notification that the certificate has
renewed, its a background process.
Error Message: The Certificate has expired, please select a different certificate
If you receive these errors, you will have to take the laptop into a Sprint building, connect to the network,
and it should receive the certificate within 2 hours. If the issue persists, take your laptop to the walk-in PC clinic
or submit a ClickIT > Hardware/Software > Microsoft Applications ticket.

SARA/Anyconnect/IdentityGuard Login Problems

I dont remember my password: Anyconnect authenticates using the AD credentials. If you dont
remember your password, contact your manager to have them reset your password via the password
management portal. The ESC does not reset AD passwords.
I remember my password, but I still cant log into SARA/Anyconnect: To verify youre using the correct
password. Go to Sprints External Webmail site https://om.sprint.com/owa . If you can log in there, you
should use the same credentials when logging into SARA. (note that youll also need to enter an
IdentityGuard code to access OWA)

Passwords expire every 90 days. AnyConnect will prompt you to enter a new password. Your new
password will need to match the Sprint password requirements. If youre having issues, contact
your manager to reset your AD password using the password management portal. The ESC
Helpdesk does not reset AD passwords.
 (Note: if youve reset your AD password via SARA, synchronize your computer or youll get locked out.)
Press CTRL-ALT-DEL to lock your screen,
Press CTRL-ALT-DEL again to unlock your screen using your new password
Im never prompted for my access Code: Usually this means you havent completed registration for
IdentityGuard, go to https://idg.sprint.com/idg and follow the instructions to complete registration.
I get the security code, but its still not working: Make sure your phones clock and time zone are
accurate for your present location, If its off by +/- 3 minutes, the code generated will be incorrect. If the
issue persists follow the procedures for a temporarily lost device below.
Ive temporarily lost or dont have my IdentityGuard device with me: Go to https://idg.sprint.com/idg
and follow the instructions for temporarily misplaced the device. Youll receive a one-time pin number
to use when accessing SARA.
I know longer have the device with IdentityGuard, I have a new phone now: Go to
https://idg.sprint.com/idg and follow the instructions for I have a new phone or lost the device
For more information about IdentityGuard, go to http://idginfor.corp.sprint.com or submit an
IdentityGuard Clickit ticket.

How to Log into SARA/Anyconnect BEFORE You Log into Your Computer

Frequent Password Popups over SARA/Anyconnect - Lync and other programs try to load before you can
log into SARA/Anyconnect. As a result, you may receive quite a few password popups
Missing Network Share Drives over SARA/Anyconnect-

One way to reduce password popups and missing network drives is to log into SARA/Anyconnect BEFORE you log
into your computer! Heres how:

a. Press Ctrl-Alt-Delete at the logon screen

b. Click OK if prompted to acknowledge the legal notice
c. Click Switch User

d. On the next screen, click the Network Logon icon

e. The Cisco Anyconnect Window should appear, click Connect

f. Enter your AD credentials and connect to SARA

g. Enter the security code as displayed on the Entrust IdentityGuard Mobile (OTP) application

h. Click Accept to accept the legal notice

i. Click Other User

j. Logon to Windows as you normally would

k. The AnyConnect icon will appear in the notification area with a globe and lock icon indicating you are
connected to Sprint - when youre ready to disconnect, right-click the AnyConnect icon and select VPN
Disconnect
 Still Having Problems?

Logout and reboot your computer and/or remote network, it honestly DOES resolve a lot of issues
Still having issues? For SARA Problems - submit a ClickIT - Remote Access: VPN Request and Support Ticket
For Entrust IdentityGuard Issues, submit a ClickIT IdentityGuard Ticket