Re: Anyconnect 4.10 - ASAv 9.20 - cannot webdeploy DART and GINA modul

sSiDiUSs · ‎06-27-2024

Good day team!

struggling for 3 days...reading a lot of forums didn't help me...

I have a problem. Fresh install ASAv 9.20 and Anyconnect client 4.10 (the last one)

everything work fine, exept of DART and GINA

I've made config. But no luck.
I see that client got option "start before logon" but it disappears after client or PC reboot.
here my config:

webvpn
 enable OUTSIDE
 http-headers
  hsts-server
   enable
   max-age 31536000
   include-sub-domains
   no preload
  hsts-client
   enable
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect image disk0:/SSLVPN/anyconnect-win-4.10.08029-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/SSLVPN/anyconnect-macos-4.10.08029-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect image disk0:/SSLVPN/anyconnect-linux64-4.10.08029-webdeploy-k9.pkg 3 regex "Linux"
 anyconnect profiles SSLVPN-SBL disk0:/SSLVPN/VPN-SBL.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
!
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client 
 webvpn
  anyconnect modules value dart,vpngina
  anyconnect profiles value SSLVPN-SBL type user
group-policy ANYCONNECT_GP internal
group-policy ANYCONNECT_GP attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_VPN
 default-domain value company.com
 webvpn
  anyconnect keep-installer installed
  anyconnect modules value dart,vpngina
  anyconnect profiles value SSLVPN-SBL type user
!
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool ANYCONNECT_POOL
tunnel-group ANYCONNECT_TG type remote-access
tunnel-group ANYCONNECT_TG general-attributes
 address-pool ANYCONNECT_POOL
 default-group-policy ANYCONNECT_GP
tunnel-group ANYCONNECT_TG webvpn-attributes
 group-alias BELLVPN-SBL enable
tunnel-group SSLSBL type remote-access
tunnel-group SSLSBL general-attributes
 address-pool ANYCONNECT_POOL
tunnel-group SSLSBL webvpn-attributes
 group-alias SSLSBL enable

it is just a deadend for me...

sSiDiUSs · ‎06-27-2024

Jun 27 2024 14:30:12: %ASA-6-725001: Starting SSL handshake with client OUTSIDE:95.95.95.95/63933 to 91.91.91.91/443 for TLS session
Jun 27 2024 14:30:12: %ASA-6-725016: Device selects trust-point VPNSSL_RU for client OUTSIDE:95.95.95.95/63933 to 91.91.91.91/443
Jun 27 2024 14:30:13: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:95.95.95.95/63933 to 91.91.91.91/443 for TLSv1.2 session
Jun 27 2024 14:30:19: %ASA-6-113012: AAA user authentication Successful : local database : user = netadmin
Jun 27 2024 14:30:19: %ASA-6-113009: AAA retrieved default group policy (ANYCONNECT_GP) for user = netadmin
Jun 27 2024 14:30:19: %ASA-6-113008: AAA transaction status ACCEPT : user = netadmin
Jun 27 2024 14:30:19: %ASA-6-734001: DAP: User netadmin, Addr 95.95.95.95, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy
Jun 27 2024 14:30:19: %ASA-6-113039: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> AnyConnect parent session started.
Jun 27 2024 14:30:19: %ASA-6-725001: Starting SSL handshake with client OUTSIDE:95.95.95.95/63940 to 91.91.91.91/443 for TLS session
Jun 27 2024 14:30:19: %ASA-6-725016: Device selects trust-point VPNSSL_RU for client OUTSIDE:95.95.95.95/63940 to 91.91.91.91/443
Jun 27 2024 14:30:19: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:95.95.95.95/63940 to 91.91.91.91/443 for TLSv1.2 session
Jun 27 2024 14:30:19: %ASA-6-737026: IPAA: Session=0x00007000, Client assigned 10.230.1.2 from local pool ANYCONNECT_POOL
Jun 27 2024 14:30:19: %ASA-6-737006: IPAA: Session=0x00007000, Local pool request succeeded for tunnel-group 'ANYCONNECT_TG'
Jun 27 2024 14:30:19: %ASA-5-737034: IPAA: Session=0x00007000, IPv6 address: IPv6 local pool address assignment disabled.
Jun 27 2024 14:30:19: %ASA-5-737034: IPAA: Session=0x00007000, IPv6 address: callback failed during IPv6 request
Jun 27 2024 14:30:19: %ASA-4-722041: TunnelGroup <ANYCONNECT_TG> GroupPolicy <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> No IPv6 address available for SVC connection
Jun 27 2024 14:30:19: %ASA-5-109201: UAUTH: Session=0x00007000, User=netadmin, Assigned IP=10.230.1.2, Succeeded adding entry.
Jun 27 2024 14:30:19: %ASA-5-722033: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> First TCP SVC connection established for SVC session.
Jun 27 2024 14:30:19: %ASA-6-722022: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> TCP SVC connection established without compression
Jun 27 2024 14:30:19: %ASA-6-722055: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> Client Type: Cisco AnyConnect VPN Agent for Windows 4.10.08029
Jun 27 2024 14:30:19: %ASA-4-722051: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> IPv4 Address <10.230.1.2> IPv6 address <::> assigned to session
Jun 27 2024 14:30:19: %ASA-6-317077: Added STATIC route 10.230.1.2 255.255.255.255 via 10.230.1.2 [1/0] on GigabitEthernet0/0 tableid [0]
Jun 27 2024 14:30:20: %ASA-6-725001: Starting SSL handshake with client OUTSIDE:95.95.95.95/50088 to 91.91.91.91/443 for DTLS session
Jun 27 2024 14:30:20: %ASA-6-725001: Starting SSL handshake with client OUTSIDE:95.95.95.95/50088 to 91.91.91.91/443 for DTLS session
Jun 27 2024 14:30:20: %ASA-6-725003: SSL client OUTSIDE:95.95.95.95/50088 to 91.91.91.91/443 request to resume previous session
Jun 27 2024 14:30:20: %ASA-6-110002: Failed to locate egress interface for UDP from OUTSIDE:10.230.1.2/56937 to 239.255.255.250/3702
Jun 27 2024 14:30:20: %ASA-6-725002: Device completed SSL handshake with client OUTSIDE:95.95.95.95/50088 to 91.91.91.91/443 for DTLSv1.2 session
Jun 27 2024 14:30:20: %ASA-5-722033: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> First UDP SVC connection established for SVC session.
Jun 27 2024 14:30:20: %ASA-6-722022: Group <ANYCONNECT_GP> User <netadmin> IP <95.95.95.95> UDP SVC connection established without compression
Jun 27 2024 14:30:20: %ASA-6-725007: SSL session with client OUTSIDE:95.95.95.95/63933 to 91.91.91.91/443 terminated

Rob Ingram · ‎06-27-2024

@sSiDiUSs do you have multiple XML profiles, one that has SBL enabled and another that does not? They could be conflicting, hence why SBL disappears after a reboot.

sSiDiUSs · ‎06-27-2024

I have 1 .xml with enabled in it SBL.

SBL does not even appear in add&remove programs near the core client

sSiDiUSs · ‎06-27-2024

here is .xml

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>All</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreLinux>All</CertificateStoreLinux>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>Native</ProxySettings>
		<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
		<AuthenticationTimeout>30</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="true">true</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="true">true</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
		</AutoReconnect>
		<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
		<AutoUpdate UserControllable="false">false</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
		<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
		<LinuxVPNEstablishment>AllowRemoteUsers</LinuxVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Disable
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="false">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
</AnyConnectProfile>

Rob Ingram · ‎06-27-2024

@sSiDiUSs if installed, SBL would appear in Add/Remove programs.

Look at the Windows event logs to see what errors there are installing the app? Have you tried another version?

sSiDiUSs · ‎06-27-2024

no install logs. no errors.
more to say, there is no message in client programm that module are downloading and installing.

looks like ASAv just ignoring this setting in GP/
i could try 4.9 version.

now i am using 4.10.08029

sSiDiUSs · ‎06-28-2024

in this thread, zekebash fixed same issue i've got by re-appling the same commands.
i did it already....no luck

https://community.cisco.com/t5/vpn/anyconnect-start-before-logon-4-10-01075/td-p/4450147/page/2

sSiDiUSs · ‎06-28-2024

as i said before, downloading and installing didn't start at all. I do not see this proccess in client, like on picture

Rob Ingram · ‎06-28-2024

@sSiDiUSs so you are not predeploying DART and SBL, you are expecting this to be downloaded from the ASA, but it does not? If so is downloader bypassed in AnyConnectLocalPolicy.xml ?

sSiDiUSs · ‎06-28-2024

<BypassDownloader>false</BypassDownloader> it is OK.

sSiDiUSs · ‎07-25-2024

Still cannot make it work...just can't get what is wrong...

Anyconnect 4.10 - ASAv 9.20 - cannot webdeploy DART and GINA modules