Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4114
Views
0
Helpful
5
Replies

AnyConnect Autoreconnect ReconnectOnResume dosen't work

Simon Parlsjo
Level 1
Level 1

‎11-13-2013 06:54 AM

Hello! I have an issue with anyconnect and computers hibernating. I'm in the process of migrating a customer from ipsec to anyconnect. We want to make the VPN connection as seamless as possible but without enabling always-on. For now we just want an one-to-one switch with ipsec and anyconnect.

Always-on will probably be implemented later after some testing and validation. Now to my issue: I have been trying to make our computers reconnect after hibernation without the need to re-authenticate but I can't seem to get it to work. We are using anyconnect version 3.1.04066 and using ipsec (ikev2) as the connection protocol. In our anyconnect profile I have enabled Auto Reconnect and set it to ReconnectOnResume. Se profile below. I'm currently not pushing any configuration from the ASA. It's strange cause after hibernate I get the following error even though ReconnectOnResume is configured: "The VPN connection has been disconnected due to the system suspending. The reconnect capability is disabled. A new connection is necessary, which requires re-authentication" Can I get some help troubleshooting this.

XML profile (company name removed):

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>

<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>Machine</CertificateStore>

<CertificateStoreOverride>true</CertificateStoreOverride>

<ProxySettings>IgnoreProxy</ProxySettings>

<AllowLocalProxyConnections>true</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="false">true</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="false">false</LocalLanAccess>

<ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin>

<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="false">false</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>true

<TrustedDNSDomains><company>.org,<company>.org</TrustedDNSDomains>

<TrustedDNSServers>10.80.255.205,10.80.255.206,10.80.255.207</TrustedDNSServers>

<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>

<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>

<AlwaysOn>true

<ConnectFailurePolicy>Closed

<AllowCaptivePortalRemediation>true

<CaptivePortalRemediationTimeout>7</CaptivePortalRemediationTimeout>

</AllowCaptivePortalRemediation>

<ApplyLastVPNLocalResourceRules>true</ApplyLastVPNLocalResourceRules>

</ConnectFailurePolicy>

<AllowVPNDisconnect>true</AllowVPNDisconnect>

</AlwaysOn>

</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<CertificateMatch>

<KeyUsage>

<MatchKey>Key_Encipherment</MatchKey>

<MatchKey>Digital_Signature</MatchKey>

</KeyUsage>

<DistinguishedName>

<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">

<Name>ISSUER-CN</Name>

<Pattern><company> Issuing CA v1</Pattern>

</DistinguishedNameDefinition>

</DistinguishedName>

</CertificateMatch>

<EnableAutomaticServerSelection UserControllable="false">false

<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>true

<UserEnforcement>SameUserOnly</UserEnforcement>

</RetainVpnOnLogoff>

</ClientInitialization>

<ServerList>

<HostEntry>

<HostName>test.<company>.com</HostName>

<HostAddress>test.<company>.com</HostAddress>

<UserGroup>anyc-tunnel-v1.0</UserGroup>

<MobileHostEntryInfo>

<NetworkRoaming>true</NetworkRoaming>

<CertificatePolicy>Auto</CertificatePolicy>

<ConnectOnDemand>false</ConnectOnDemand>

<ActivateOnImport>false</ActivateOnImport>

</MobileHostEntryInfo>

<PrimaryProtocol>IPsec</PrimaryProtocol>

</HostEntry>

</ServerList>

</AnyConnectProfile>

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎11-13-2013 10:51 AM

I am not sure how to interpret your statement that you are not pushing any configuration from the ASA. Does that include the profile?

Is this profile on the ASA? What do you have in the configuration of the ASA that deals with the profile?

HTH

Rick

HTH

Rick
0 Helpful

Simon Parlsjo
Level 1
Level 1
In response to Richard Burts

‎11-14-2013 12:36 AM

Hi,

Currently I apply the XML manually on the client. I have not assigned any XML file to a specific group policy on the ASA.

It's like it's not applying all the changes from my XML.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Simon Parlsjo

‎11-14-2013 06:53 AM

When I was working with a customer who wanted to control the reconnect behavior we put the appropriate parameters into a profile, put that profile in flash on the ASA and configured the ASA to use that profile. That worked for us and did have the result that the customer wanted. I suggest that you put your profile on the ASA and configure the ASA to use it.

HTH

Rick

HTH

Rick
0 Helpful

Simon Parlsjo
Level 1
Level 1
In response to Richard Burts

‎11-20-2013 01:26 AM

Hello again!

It's working now. By applying exactly the same xml profile from the ASA via group policy mapping it is working.

It's strange how the same xml can generate a different experience based on how I deploy it.

Any idea?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Simon Parlsjo

‎11-20-2013 07:56 AM

I am glad to know that it is working now. Thank you for confirming that my suggestion that the profile needed to be specified in the configuration of the ASA. I am not authoritative on how it works but my interpretation is that since there can be multiple profiles in the directory of the PC that the ASA must indicate to the client when the connection is established which profile is to be used. For example I use AnyConnect to connect to multiple ASAs for multiple customers and have multiple profiles in the directory of my PC. When I establish a connection how will my AnyConnect client know which profile to use for this connection?

So when you deploy the profile in the way that was intended it works and when you deploy in a different way it does not work.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents