Re: AnyConnect Basic Host Scan

Michal Rzepecki · ‎03-06-2019

Hello,

I would like to configure basic hostscan to prevent from connecting VPN if some file doesnt exist on the endpoint or some proccess is not running on the endpoint.

I made some hostscan rules but it doesn't work - VPN connects every time.

Do I have to make some connection between my VPN configuration and hostscan configuration?

Hostscan documentation doesn't tell how to configure it.

Marvin Rhoads · ‎03-07-2019

Under your webvpn section you need to have "csd enable" to associate your hostscan setup with the SSL VPN.

https://community.cisco.com/t5/security-documents/how-to-configure-anyconnect-host-scan/ta-p/3118732

Michal Rzepecki · ‎03-07-2019

"csd enable" was depreciated. "hostscan enable" is instead.
Cisco Adaptive Security Appliance Software Version 9.10(1)11
hostscan package version 4.7

Marvin Rhoads · ‎03-08-2019

OK, so do you have the newer "hostscan enable" under your webvpn section?

If you do and it is not working, you can use _debug dap trace " (at ASA end) and DART package (at client side) to gather more details. TAC can assist for specific questions if you want to open a case and share those outputs with them.

https://community.cisco.com/t5/security-documents/information-to-acquire-for-dap-troubleshooting/ta-p/3145426

Michal Rzepecki · ‎03-07-2019

Mentioned document only says how to enable feature and tells nothing about functional configuration.