Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10496
Views
1
Helpful
4
Replies

Anyconnect Trusted Network Detection does not always work

Go to solution
jsvanberg
Level 1
Level 1

‎05-21-2018 01:35 AM

Hi all,

I'm seeing a strange issue where the Anyconnect client TND does not work when Anyconnect starts up (during computer restart or manually).

Anyconnect client does not detect it is on the trusted network when the Anyconnect client starts up, if I switch for example between WLAN (external) and LAN (internal) it works correctly, when I'm connected to LAN it detects trusted network and Anyconnect stops trying to connect.

But if I restart computer while it is connected to LAN (ie trusted network) and Anyconnect starts up, it does NOT detect it is on the trusted network and tries to connect.

Anyone have seen this before? Really strange behaviour, tested on 4.5 and 4.6 version, same issue.

Thanks!

/Johan

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jsvanberg
Level 1
Level 1
In response to jsvanberg

‎05-25-2018 12:32 AM

Case is solved, found that in the Anyconnect profile there was also "connect on startup" enabled and this somehow seems to override the TND settings.

So if "connect on startup" is true but you are on a trusted network it will try to connect.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
pcarco
Cisco Employee
Cisco Employee

‎05-21-2018 09:36 PM

Hello,

Windows, Mac, Linux ?

What is configured (not the specifics) in the AnyConnect Client Profile under "Automatic VPN Policy" ie, TND

Trusted DNS Domains,  Trusted DNS Servers  - do you configure both ?   You only need one of those configured

If windows

Can you verify during those times that the machine has the info required by the xml profile configuration   by doing and ipconfig /all

Best regards,

Paul

AnyConnect TME

Go to solution
jsvanberg
Level 1
Level 1
In response to pcarco

‎05-21-2018 11:42 PM

Hi Paul,

Thanks for replying! :-)

It is Windows, we have tested on both Windows 7 and Windows 10 and we get the same behavior, using version 4.5 and 4.6.

I have tried different TND settings but in the production environment the use domain and https/hash. The tests I have done has been using domain only like *example.com.

The TND function works if I switch between untrusted external and trusted internal when the Anyconnect client is running. The problem is when for example we restart the computer and Anyconnect starts up, it does not detect that it is on a trusted network.

Thanks!

0 Helpful

Go to solution
jsvanberg
Level 1
Level 1
In response to jsvanberg

‎05-22-2018 12:29 AM

Here is a simple test I do.

I have "example.com" as the DNS suffix on my internal network. I create a xml profile with TND settings DNS domain = *example.com.

1. Quit the Anyconnect client and replace C:\ProgramData\Cisco... with new xml file

2. Connect to the internal network

3. Check that the DNS suffix on interface is really example.com

4. Start Anyconnect client

5. Anyconnect client does not detect it is on trusted network, instead it connects the vpn (Trusted = Disconnect, Untrusted = Connect)

6. Disconnect the vpn, Anyconnect now detects it is on the trusted network

So Anyconnect during startup does not seem to care about the TND settings, but when switching between networks once running it does.

0 Helpful

Go to solution
jsvanberg
Level 1
Level 1
In response to jsvanberg

‎05-25-2018 12:32 AM

Case is solved, found that in the Anyconnect profile there was also "connect on startup" enabled and this somehow seems to override the TND settings.

So if "connect on startup" is true but you are on a trusted network it will try to connect.

0 Helpful
Customers Also Viewed These Support Documents