Solved: Re: AnyConnect and slow Software scan

MarcinBartnik6325 · ‎10-24-2023

Hello,

I'm trying to figure out a problem with long login time due to:

The process "software scan" takes 30-60s. Why is it soooooo long.

ASA headend: 5525X

Cisco AnyConnect version: 4.10.07073 as well as VPN HostScan.

Is there any solution to find why is takes so many time? Where should I look. I can't see any errors in cscan.log or libcsd.log files.

Thanks for all suggestions.

gajownik · ‎10-27-2023

Hi!

Good catch! I would suggest upgrading to latest Cisco Secure Client with a newest Secure Firewall Posture (old hostscan) package as it has a better coverage for CrowdStrike Falcon. If the issue is still present please open a TAC case to fix delay issue and add support for 7.04 version.

Hope that help.

View solution in original post

gajownik · ‎10-27-2023

Hostscan delays quite often happen while probing for AV/AM software and unsupported AV/AM is installed on the PC. List of compatible software can be found here:
https://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-device-support-tables-list.html

Go to the Hostscan section in ASDM, on the Global settings look for the logging level and make sure that it is set to "Debugging". If not, set it to "Debugging" connect once, disconnect and reconnect and then gather fresh DART bundle.
Once proper logs are generated I usually check for the timestamp difference:

sed 's/\.[0-9][0-9][0-9] 2023.*//' cscan.log | uniq | less

C:\Users\<user>\AppData\Local\Cisco\Cisco HostScan\log or in the DART bundle

Above output should give us information when the delay happens and a proper timestamp will point out the relevant logs.
I would suggest to open TAC case to fix delay issue (enhancement request to support new release of AM/AV software or fix possible bug).

MarcinBartnik6325 · ‎10-27-2023

Hi,

Thanks for the reply.

Probably You are right. It seems that we use unsupported AV/AM piece of software: CrowdStrike Falcon in version 7.04.

[Fri Oct 27 14:04:13.326 2023][cscan]Function: log_cb_hostscan Thread Id: 0x31D0 File: c:\temp\build\thehoff\phoenix_mr70.416163397004\phoenix_mr7\posture\asa\cscan\scan.c Line: 53 Level: debug :Opswat Return status is ok
[Fri Oct 27 14:04:13.326 2023][cscan]Function: log_cb_hostscan Thread Id: 0x31D0 File: c:\temp\build\thehoff\phoenix_mr70.416163397004\phoenix_mr7\posture\asa\cscan\scan.c Line: 53 Level: info :firewall status returned is failed
[Fri Oct 27 14:04:13.326 2023][cscan]Function: log_cb_hostscan Thread Id: 0x31D0 File: c:\temp\build\thehoff\phoenix_mr70.416163397004\phoenix_mr7\posture\asa\cscan\scan.c Line: 53 Level: debug :found firewall ==> (2818) (CrowdStrike Falcon) (7.04.17605.0) (failed).
[Fri Oct 27 14:04:13.326 2023][cscan]Function: log_cb_hostscan Thread Id: 0x31D0 File: c:\temp\build\thehoff\phoenix_mr70.416163397004\phoenix_mr7\posture\asa\cscan\scan.c Line: 53 Level: debug :Json in as {"input":{"method":1007,"signature":288}}
[Fri Oct 27 14:04:44.717 2023][cscan]Function: log_cb_hostscan Thread Id: 0x31D0 File: c:\temp\build\thehoff\phoenix_mr70.416163397004\phoenix_mr7\posture\asa\cscan\scan.c Line: 53 Level: debug :Json out as {"result":{"code":0,"enabled":true,"method":1007,"timing":31390,"timestamp":"1698408253","signature":288}}

As You can see between Failed message there is 30 sec. gap between log entries.

gajownik · ‎10-27-2023

Hi!

Good catch! I would suggest upgrading to latest Cisco Secure Client with a newest Secure Firewall Posture (old hostscan) package as it has a better coverage for CrowdStrike Falcon. If the issue is still present please open a TAC case to fix delay issue and add support for 7.04 version.

Hope that help.