Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2652
Views
0
Helpful
11
Replies

AnyConnect disconnects on redhat when creating/terminating any console window

mickntigg
Level 1
Level 1

‎03-11-2020 05:16 AM

Cisco AnyConnect Secure Mobility Client running on linux REDHAT

 

after anyconnect auto-upgraded to V4.7.04056 on Feb 12, it disconnects me from the network every time i create a terminal window.

I've upgraded to 4.8.02045 and still the same problem

also occurs if i create vpn via command line or gui

desktop is KDE.

 

I've tried reinstalling AnyConnect no help.  I've run selinux relabel.

any ideals are welcome.  log messages below

 

log messages:

Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Termination reason code 5: The user is logging off the system.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Function: OnTunnelStateChange File: ../../vpn/Agent/TND.cpp Line: 2038 tunnel state change notification (new 3, old 1)
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The Primary DTLS connection to the secure gateway is being torn down.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Function: OnTunnelStateChange File: ../../vpn/Agent/TND.cpp Line: 2038 tunnel state change notification (new 3, old 3)
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: A DTLS Alert was sent by the client during a write operation. Severity: warning Description: close notify
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The Primary DTLS connection to the secure gateway is down.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The VPN client has sent the following close message to the gateway: The user is logging off the system.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The Primary SSL connection to the secure gateway is down.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Function: OnTunnelStateChange File: ../../vpn/Agent/TND.cpp Line: 2038 tunnel state change notification (new 3, old 3)
Feb 20 14:08:13 xxxxxx-lnx7 acvpnui[12025]: VPN state: Disconnecting Network state: Network Accessible Network control state: Network Access: Restricted Network type: Undefined
Feb 20 14:08:13 xxxxxx-lnx7 acvpnui[12025]: Function: getStateMessage File: ../../vpn/Api/ClientIfcBase.cpp Line: 3181 Disconnect in progress.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnui[12025]: Message type information sent to the user: Disconnect in progress, please wait...

2 people had this problem
Labels:
0 Helpful
11 Replies 11

Cristian Matei
VIP Alumni
VIP Alumni

‎03-11-2020 03:24 PM

Hi,

 

   Have you configured in the AnyConnect profile, the "Retain VPN On Logoff" option? You can do it manually by editing the XML profile.


Regards,

Cristian Matei.

0 Helpful

mickntigg
Level 1
Level 1
In response to Cristian Matei

‎03-12-2020 04:21 AM

Hi,

thanks for the reply.  I had set RetainVpnOnLogoff to true a couple of weeks ago but never went back to make sure it wasn't getting reset.  Turns out it gets reset every time i start anyconnect.   So sadly, i've got to go deal with my company's IT department as they are windows oriented and not linux.   I/ve no ideal why they have decided to change this with the latest update to the software. 

cheers,

m.

0 Helpful

mickntigg
Level 1
Level 1
In response to mickntigg

‎03-12-2020 05:21 AM

I've done more research and restored the xml files from backups i did last year and discovered that RetainVpnOnLogoff has always been set to false.  The issue is occurred after a software upgrade to the client so it seems cisco has introduced a bug in V4.7.04056 where it thinks that terminals being created/terminated are login/logoff events.    has anyone else seen this behavior on their linux envs?    I can't change the value of RetainVpnOnLogoff because it get overwritten by company client policy.

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to mickntigg

‎03-12-2020 07:44 AM

Hi,

 

    The same issue has been there as well, in older versions, fixed only via the RetainVPNOnLogoff. I would do the following in parallel:

         - raise a TAC case

         - your company could push only to the Linux devices a different policy so that it works for you as well

 

Any tweaking you end up doing on the end-host is not a long-term solution, as it will always break due to new company policies which don't take into consideration Linux devices, or by a new AnyConnect update which overwrites your local tweaks.

 

Regards,

Cristian Matei

 

 

    

0 Helpful

JulienBramary
Level 1
Level 1
In response to mickntigg

‎06-17-2020 02:51 AM

I have precisely the same issue (v4.8.01090).

 

Did you ever raise a TAC case for this? This bug has been hurting my productivity for months now.

0 Helpful

mickntigg
Level 1
Level 1
In response to JulienBramary

‎06-17-2020 04:26 AM

I am not able to open a TAC ticket.  I have to go though my companies GIT org and they are still "researching" the issue even though i've told them of this thread.

0 Helpful

JulienBramary
Level 1
Level 1
In response to mickntigg

‎06-17-2020 11:36 AM

Ok thank you. Same for me as my company doesn't officially support Linux.

0 Helpful

mickntigg
Level 1
Level 1
In response to JulienBramary

‎06-17-2020 01:03 PM

my company does support linux but the linux people don't have the ability to open a  TAC. they have to get the networking team to do so.  and so i wait and wait.

0 Helpful

EmanuelLourenco29542
Level 1
Level 1
In response to Cristian Matei

‎01-05-2021 01:39 AM

Can please someone help me figure out how to add this "Retain VPN On Logoff" option to my Linux Server? I cannot find this XML profile, all i can find on the path "opt/cisco/anyconnect/profile" is a AnyConnectProfile.xsd file. This is a very urgent matter as I am experiencing this same issue of VPN disconnecting itself whenever we ssh into our server and I am hoping this "Retain VPN On Logoff" will prevent this. 

0 Helpful

cparg
Level 1
Level 1

‎09-29-2020 12:21 AM - edited ‎09-29-2020 12:23 AM

I also have this sever problem with CentOS 8 and Linux AnyConnect 4.8.01090 client.

 

Cause: The problem has to do with the /dev/console device that disappears or changes for AnyConnect.

Workaround: After first Login to KDE-Plasma after system start, log out and kill XOrg, than login again.

 

There is an enhancement request "CSCvt68560 - ENH - Retain VPN On Logoff for Linux." filed that is supposed to fix this bug!

 

Note: I am disappointed that Cisco handles this as an enhancement request, for me this is clearly a very sever bug. Cisco support was not able to provide a workaround. I am also wondering whether the ER will really fix the root cause or will just mitigate its effect.

 

Note: The vpnagent keeps a lot of stale filehandles open, as ls -l /proc/<vpnagentd pid>/fd shows. There are a lot of anon_inode entries (see man proc).

0 Helpful

cparg
Level 1
Level 1
In response to cparg

‎07-05-2021 07:49 AM

Unfortunately the workaround stopped working for me.

I am wondering if the signal that is send to the crappy Cisco Anyconnect client can be intercepted. I suppose this works through dbus but I don't know how that could be done. 
Any expert on dbus here who could help ?
Thx, Chris

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents