03-11-2020 05:16 AM
Cisco AnyConnect Secure Mobility Client running on linux REDHAT
after anyconnect auto-upgraded to V4.7.04056 on Feb 12, it disconnects me from the network every time i create a terminal window.
I've upgraded to 4.8.02045 and still the same problem
also occurs if i create vpn via command line or gui
desktop is KDE.
I've tried reinstalling AnyConnect no help. I've run selinux relabel.
any ideals are welcome. log messages below
log messages:
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Termination reason code 5: The user is logging off the system.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Function: OnTunnelStateChange File: ../../vpn/Agent/TND.cpp Line: 2038 tunnel state change notification (new 3, old 1)
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The Primary DTLS connection to the secure gateway is being torn down.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Function: OnTunnelStateChange File: ../../vpn/Agent/TND.cpp Line: 2038 tunnel state change notification (new 3, old 3)
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: A DTLS Alert was sent by the client during a write operation. Severity: warning Description: close notify
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The Primary DTLS connection to the secure gateway is down.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The VPN client has sent the following close message to the gateway: The user is logging off the system.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: A SSL Alert was sent by the client during a write operation. Severity: warning Description: close notify
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: The Primary SSL connection to the secure gateway is down.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnagent[1609]: Function: OnTunnelStateChange File: ../../vpn/Agent/TND.cpp Line: 2038 tunnel state change notification (new 3, old 3)
Feb 20 14:08:13 xxxxxx-lnx7 acvpnui[12025]: VPN state: Disconnecting Network state: Network Accessible Network control state: Network Access: Restricted Network type: Undefined
Feb 20 14:08:13 xxxxxx-lnx7 acvpnui[12025]: Function: getStateMessage File: ../../vpn/Api/ClientIfcBase.cpp Line: 3181 Disconnect in progress.
Feb 20 14:08:13 xxxxxx-lnx7 acvpnui[12025]: Message type information sent to the user: Disconnect in progress, please wait...
03-11-2020 03:24 PM
Hi,
Have you configured in the AnyConnect profile, the "Retain VPN On Logoff" option? You can do it manually by editing the XML profile.
Regards,
Cristian Matei.
03-12-2020 04:21 AM
Hi,
thanks for the reply. I had set RetainVpnOnLogoff to true a couple of weeks ago but never went back to make sure it wasn't getting reset. Turns out it gets reset every time i start anyconnect. So sadly, i've got to go deal with my company's IT department as they are windows oriented and not linux. I/ve no ideal why they have decided to change this with the latest update to the software.
cheers,
m.
03-12-2020 05:21 AM
I've done more research and restored the xml files from backups i did last year and discovered that RetainVpnOnLogoff has always been set to false. The issue is occurred after a software upgrade to the client so it seems cisco has introduced a bug in V4.7.04056 where it thinks that terminals being created/terminated are login/logoff events. has anyone else seen this behavior on their linux envs? I can't change the value of RetainVpnOnLogoff because it get overwritten by company client policy.
03-12-2020 07:44 AM
Hi,
The same issue has been there as well, in older versions, fixed only via the RetainVPNOnLogoff. I would do the following in parallel:
- raise a TAC case
- your company could push only to the Linux devices a different policy so that it works for you as well
Any tweaking you end up doing on the end-host is not a long-term solution, as it will always break due to new company policies which don't take into consideration Linux devices, or by a new AnyConnect update which overwrites your local tweaks.
Regards,
Cristian Matei
06-17-2020 02:51 AM
I have precisely the same issue (v4.8.01090).
Did you ever raise a TAC case for this? This bug has been hurting my productivity for months now.
06-17-2020 04:26 AM
I am not able to open a TAC ticket. I have to go though my companies GIT org and they are still "researching" the issue even though i've told them of this thread.
06-17-2020 11:36 AM
Ok thank you. Same for me as my company doesn't officially support Linux.
06-17-2020 01:03 PM
my company does support linux but the linux people don't have the ability to open a TAC. they have to get the networking team to do so. and so i wait and wait.
01-05-2021 01:39 AM
Can please someone help me figure out how to add this "Retain VPN On Logoff" option to my Linux Server? I cannot find this XML profile, all i can find on the path "opt/cisco/anyconnect/profile" is a AnyConnectProfile.xsd file. This is a very urgent matter as I am experiencing this same issue of VPN disconnecting itself whenever we ssh into our server and I am hoping this "Retain VPN On Logoff" will prevent this.
09-29-2020 12:21 AM - edited 09-29-2020 12:23 AM
I also have this sever problem with CentOS 8 and Linux AnyConnect 4.8.01090 client.
Cause: The problem has to do with the /dev/console device that disappears or changes for AnyConnect.
Workaround: After first Login to KDE-Plasma after system start, log out and kill XOrg, than login again.
There is an enhancement request "CSCvt68560 - ENH - Retain VPN On Logoff for Linux." filed that is supposed to fix this bug!
Note: I am disappointed that Cisco handles this as an enhancement request, for me this is clearly a very sever bug. Cisco support was not able to provide a workaround. I am also wondering whether the ER will really fix the root cause or will just mitigate its effect.
Note: The vpnagent keeps a lot of stale filehandles open, as ls -l /proc/<vpnagentd pid>/fd shows. There are a lot of anon_inode entries (see man proc).
07-05-2021 07:49 AM
Unfortunately the workaround stopped working for me.
I am wondering if the signal that is send to the crappy Cisco Anyconnect client can be intercepted. I suppose this works through dbus but I don't know how that could be done.
Any expert on dbus here who could help ?
Thx, Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: