Re: Anyconnect management tunnel and trusted network detection

BJ · ‎11-20-2020

ASA version: 9.9.2

Anyconnect Version's: 4.8.03052 and 4.9.01095

I am testing out the Anyconnect management tunnel with trusted network detection. I followed a guide at www.petenetlive.com/KB/Article/0001503 as well as the Cisco provided documentation and had it working on Anyconnect version 4.8.03052. The management tunnel would connect when outside of the corporate network and would disconnect upon detection of the trusted network parameters and the Anyconnect message history would show a disconnect reason of 'on a trusted network'.

Long story short, as I went to expand testing to more users I found that the TND is no longer working. I have rebuilt profiles, group-policies, tunnel-groups to no avail. I also tried using different Anyconnect version with no luck. The management tunnel will still activate as soon as I leave the corporate network but now upon re-connect to corporate it attempts to re-connect to the VPN tunnel that is present in the preferences.xml file, as if the TND settings are not even being considered.

I have seen the following regarding enabling TND on both user and mgmt tunnel profiles; however, when this was working, I did not have TND enabled on any user profiles. After reading this, I enabled but still no change:

“The management VPN profile settings are only enforced by AnyConnect while the management VPN tunnel is active. When the management VPN tunnel is disconnected, only user VPN tunnel profile settings are enforced. Therefore, the management VPN tunnel is initiated according to the Trusted Network Detection (TND) settings in the user VPN tunnel profile, namely when TND is disabled or when it detects “untrusted network”, regardless of the configured Untrusted Network Policy. Additionally, the TND Connect action in the management VPN profile (enforced only when the management VPN tunnel is active), always applies to the user VPN tunnel, to ensure that the management VPN tunnel is transparent to the end user. For a consistent user experience, we recommend that you use identical TND settings in both user and management VPN tunnel profiles.“

Any ideas what I am overlooking?

An example of the mgmt tunnel profile is attached and the relevant config follows.:

webvpn
enable outside
anyconnect-custom-attr ManagementTunnelAllAllowed description Management Tunnel
no anyconnect-essentials
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
!
tunnel-group AnyConnect_MGMT_Tunnel type remote-access
tunnel-group AnyConnect_MGMT_Tunnel general-attributes
address-pool MgmtVPNPool
accounting-server-group ISE
default-group-policy AnyConnect_MGMT_Tunnel
tunnel-group AnyConnect_MGMT_Tunnel webvpn-attributes
authentication certificate
group-alias Anyconnect_MGMT_Tunnel enable
group-url https://some.domain.com/Anyconnect_MGMT_Tunnel enable
!
tunnel-group ITadminVPN type remote-access
tunnel-group ITadminVPN general-attributes
address-pool vpn-pool
authentication-server-group radius LOCAL
default-group-policy ITadminVPN
tunnel-group ITadminVPN webvpn-attributes
group-alias Admin-Only enable
tunnel-group ITadminVPN ipsec-attributes
ikev1 pre-shared-key ********
!
group-policy ITadminVPN internal
group-policy ITadminVPN attributes
wins-server none
dns-server value 10.10.10.1
vpn-simultaneous-logins 10
vpn-session-timeout 1440
vpn-tunnel-protocol ikev1 ssl-client ssl-clientless
default-domain value some.domain
client-bypass-protocol enable
address-pools value vpn-pool
webvpn
anyconnect profiles value management-vpn-profile type vpn-mgmt
anyconnect profiles value admin-test type user
!
group-policy AnyConnect_MGMT_Tunnel attributes
banner none
wins-server none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect-Mgmt-Split
default-domain none
client-bypass-protocol enable
address-pools value MgmtVPNPool
anyconnect-custom ManagementTunnelAllAllowed value Value
webvpn
anyconnect profiles value management-vpn-profile type vpn-mgmt

Aref Alsouqi · ‎11-25-2020

The default behaviour when you configure the management tunnel is to try to trigger the user tunnel as soon as you log into the machine. By default AnyConnect would try to reconnect to the latest headend that the machine connected to. This latest headend will be stored in the preferences.xml file. Regarding TND and user profile, even if you don't configure TND on the user profile, and you have it enabled on the management tunnel profile, the user profile will be treated as if it has TND enabled. To workaround this default behaviour you need to disable TND on both profiles. Disabling TND on both profiles will not stop the management tunnel from forming when the machine is out of the corporate network, because the management tunnel will always try to connect to the headend. Obviously when the machine is on the corporate network, the management tunnel can't be formed and the firewall would not allow that traffic received on one of its interfaces destined to another. I noticed on your config snippet you did not add the management and user profiles under the global webvpn configuration. Although this might not affect anything if you applied those profiles on the clients, but I think it would be a good practice to upload them to the firewall and reference them under the global webvpn section.

sagar.shetty · ‎01-21-2022

Were you able to find a solution to your problem?

BJ · ‎01-21-2022

No I have not found a solution yet. I’ve brought this up to our account team as well and they were supposed to be looking into it. That was a while ago though.

SzantaiNorbert · ‎10-20-2023

Hello All,

Does anyone has a solution? We had a perfectly working users profile based VPN with TND and we enabled Management VPN. Now, sometimes the clients are building up MGMT VPN in a trusted network as well. I have the exact same TND settings in the MGMT VPN and in the user profile.

Regards,

Norbert

BJ · ‎10-20-2023

I was never able to get this working properly and have not revisited it since 2022. I do have plans to work with a consulting team on this early 2024 so hopefully we can get something working.