Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1127
Views
0
Helpful
4
Replies

AnyConnect connecting to old ASA

derek.small
Level 5
Level 5

‎06-29-2018 07:56 AM - edited ‎03-12-2019 05:25 AM

We have installed a new ASA cluster some time ago to replace an older ASA.  The older ASA was used to handle AnyConnect client connections from our users, but about a year ago changed our VPN address to point to the new ASA firewalls.  Everything was fine but as we are drawing closer to removing the old firewall we are getting complaints from users about VPN connection issues. 

 

I took a packet capture on one of the clients and found that the anyconnect client is still connecting (or trying to) connect to the old ASA.  I removed all crypto from the old ASA, but now you just get a timeout.  On the client PC if you ping the DNS name for the new ASA firewalls, DNS resolves correctly.  However if you try to connect by DNS name, the client always trys to connect to the old IP address, and then timesout and fails.  If you try to connect by IP address, everything works fine. I check the preferences.xml file for the AnyConnect client and there was no default host address "<DefaultHostAddress></DefaultHostAddress>" included.  I've uninstalled and upgraded the AnyConnect Client to the latest version.  We aren't doing any load-balancing on the new (or old) ASAs. I'm not sure why the client keeps trying to connect to the old ASA if you try to connect by DNS name.

 

It seems like AnyConnect has it's own method of resolving DNS names.  I did check the local hosts file on the PC, but since you can ping the DNS name and it resolves correctly, it seems to be a name resolution issue specific to AnyConnect, not Windows. The clients having the problem are running mostly Windows 7.

 

Anyone have any ideas?

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-29-2018 08:18 AM - edited ‎06-29-2018 08:22 AM

Have you checked the profile? On windows it's at C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile.

 

It has a section (as shown below) that can affect this behavior.

 

<ServerList>
     <HostEntry>
	<HostName>(user friendly name here)</HostName>
	<HostAddress>(fqdn or ip address here)</HostAddress>
     </HostEntry>
</ServerList>

 

0 Helpful

derek.small
Level 5
Level 5
In response to Marvin Rhoads

‎06-29-2018 11:07 AM

I had not looked in that folder, but when I do, I find a preferrences.xsd file, which doesn't look anything like, and doesn't have any of those sections.  That looks more like the .xml file I found in the preferences.xml file in the users folder, but I don't see a HostAddress field in that file either.

 

I've check on clients running version 4.4 as well as 3.1.  

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to derek.small

‎06-29-2018 12:45 PM - edited ‎06-29-2018 12:52 PM

What about under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\preferences_global.xml? Do you see an entry for "DefaultHostAddress"?

0 Helpful

derek.small
Level 5
Level 5
In response to Rahul Govindan

‎07-14-2018 11:18 AM

Well, I looked in all the usual places and files.  The old ASA was definitely using client profiles, but the default VPN gateway was not being set in any of the .xml files.  I finally just created a client profile on the new ASA and set the default VPN gateway IP address and DNS name in that profile.  Once the clients connected to the VPN group with that client profile, we didn't see them trying to connect to the old IP address any longer. 

0 Helpful
Customers Also Viewed These Support Documents