We observe that during posture redirection / system scan, Edge browser automatically popping up "Client Provisioning Portal" without any user intervention. User connects over over VPN and authentication of user credential is successful. System scan with anyconnect starts and user is not triggering any http session to make Edge browser auto pop-up to get redirected to client provisioning portal. Is this a known issue or auto pop-up can be suppressed with Anyconnect or endpoint configuration.
AC version: 4.2.01035
I see the following in Dart bundle:
Description : Function: HttpConnection::MakeRequest
Thread Id: 0x450
Ignoring duplicate discovery probe: https://<FQDN>:8443/portal/gateway?sessionId=0afXXXXX6ee00057339a66&portal=aXXXXX-c2c4-11e4-8726-24e9b315f0b6&action=cpp&token=5001d3XXXXXX50c3ec9067ad5eaa9e3.
|OS Name:||Microsoft Windows 10 Enterprise|
|OS Version:||10.0.10240 N/A Build 10240|
Suggestion to troubleshoot this issue is highly appreciated.
Solved! Go to Solution.
Asif, two options:
Asif, two options:
(From: Mike Gatti) Here is the workaround I created to address this issue, hopefully it can help anyone else experiencing the same problem...
- Configure your ASA's DNS Lookup settings:
dns domain-lookup INSIDE ! Define the internal interface to send dns lookup queries to
DNS server-group DefaultDNS
name-server 10.0.0.10 ! Use an internal trusted DNS server
name-server 10.0.0.11 ! Use an internal trusted DNS server
- Configure an object in your ASA with a fqdn for www.msftncsi.com:
object network obj-www.msftncsi.com
- Add a deny statement in your ISE_REDIRECT ACL, tune the ACL to your needs:
access-list ISE_REDIRECT extended deny icmp any any
access-list ISE_REDIRECT extended deny ip any host obj-ISE-PSN-01
access-list ISE_REDIRECT extended deny ip any host obj-ISE-PSN-02
access-list ISE_REDIRECT extended deny ip any host obj-ISE-PSN-03
access-list ISE_REDIRECT extended deny ip any object obj-www.msftncsi.com
access-list ISE_REDIRECT extended permit tcp any any eq www
!!- Now there is a caveat to this config, using a FQDN statement will only work if the ACL is applied to an interface. To work around this requirement I used one of our ASA's spare interfaces in a shutdown state, gave it a bogus nameif and assigned the ISE_REDIRECT acl to it, if you don't have a spare interface one option would be to create a sub-interface and assign the acl to it:
++ Before assigning the redirect acl to an interface
VPN_ASA(config)# show dns
INFO: no activated FQDN
VPN_ASA(config)# show dns host www.msftncsi.com
ERROR: www.msftncsi.com is not activated
++Interface and Access-Group config
VPN_ASA(config)# sh run int g0/6
no ip address
VPN_ASA(config)# sh run access-group
access-group ISE_REDIRECT in interface ISE_REDIRECT_BOGUS
++After assigning the redirect acl to an interface:
VPN_ASA(config)# sho dns
Address: 126.96.36.199 TTL 00:00:34
Address: 188.8.131.52 TTL 00:00:34
VPN_ASA(config)# sh dns host www.msftncsi.com
Address: 184.108.40.206 TTL 00:00:26
Address: 220.127.116.11 TTL 00:00:26
We recently upgraded to AnyConnect 4.3 and upon login, our Windows 10 machines are launching IE and receiving the same web popup as described in this thread. We changed the ‘EnableActiveProbing’ value to 0 as recommended in the published answer but now, whenever a user disconnects from our network, goes to WiFi, and then reconnects to physical network, we are receiving a warning on the system tray stating that there is "No Internet Access" (see below image) . This warning continues to stay on the system tray even after the machine is postured and given full access to our network. All internet and intranet functionality works correctly however, the introduction of this warning icon has caused a significant influx of calls to our help desk. Is there a way we can get this warning to clear once the device is allowed on the network?