05-17-2020 07:21 PM
Hi Experts,
disclaimer: Cisco TAC responded that this is expected behavior but I dispute it's expected by end-users.
We're testing RA VPN using AnyConnect (4.7.04056). Three tunnel-groups: one (legacy) is authenticating using LDAP (against on-premise AD), other two are SAML (against Azure IdP).
Ordinarily, after clicking "connect" button remote-user expects to see AnyConnect's drop-box to explicitly select tunnel-group.
However, if the remote-user previously selected a SAML tunnel-group, then same choice is assumed for subsequent attempt, causing AnyConnect's largish built-in web-browser windows (facilitating SAML authentication prompt) to obscure tunnel-group selection drop-box. (In Windows, it means remote-user has to find AnyConnect window in Taskbar, or alt-tab or win-tab, to select another tunnel-group.)
I prepended a number in each tunnel-group's "group-alias" to order LDAP tunnel-group first, but that hasn't helped.
Advice on how to handle this setup would be most appreciated.
R's, Alex
05-18-2020 09:20 AM
The most-recently used group and (other parameters) will be stored in
C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
I wonder if making that file read-only (with the desired DefaultGroup parameter) would work.
05-18-2020 06:49 PM - edited 05-18-2020 06:50 PM
Hi Marvin,
thank you for suggestion. My understanding is that this "preferences.xml" is meant to be overwritten, by design. So, I'd be reluctant to impose file read-only upon all users (especially those who access different VPN Gateways). Alternative suggestions most appreciated.
Since you brought up "preferences.xml" - a question: is it possible to force AnyConnect to use IKEv2 (instead of preferred SSL) for VPN connection at client-end (ie. without a AnyConnect VPN Profile or changing group-profile's "vpn-tunnel-protocol" at head-end)? (I have a firewall that can block SSL, but I'm looking for something more straightforward.)
R's, Alex
05-18-2020 10:23 PM
How about publishing a URL for the connection profiles and having the users enter that as an alternative to send their session straight to the desired profile?
As far as I know, the protocol (SSL/TLS vs. IKEv2 IPsec) needs to be specified in the profile - normally deployed from the headend but it can be predeployed manually.
05-18-2020 10:26 PM - edited 05-18-2020 10:33 PM
> but it can be predeployed manually.
can you please provide clue as to how? Can this setting remain persistent (until, let's say, manually removed)?
Also can you confirm - even if IPsec is used for VPN transport, is SSL (port 443) is still innately required?
05-18-2020 10:44 PM
Build a VPN Profile using the desktop editor. The server list section allows you to save the protocol used.
Save the file and copy it to clients (on Windows the location is C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) using:
If there's no profile on the ASA, the client one will remain as-is persistent across connections and restarts. Any profile on the ASA that's associated with the client's connection will overwrite what the client has already, no matter how they got it.
05-18-2020 11:39 PM - edited 05-18-2020 11:45 PM
Brilliant! Thank you... For Posterity, here's what I've done.
1. Created file (based on demo AnyConnect Profile) - "ikev2_anyconnect_client_profile2.xml" with ONLY following content:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ServerList>
<HostEntry>
<HostName>ikev2-5555</HostName>
<HostAddress>{redacted}</HostAddress>
<UserGroup>{redacted}</UserGroup>
<PrimaryProtocol>IPsec</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
2. (as per your advice) placed file into "c:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\"
3. Try VPN connection
c:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client>vpncli
Cisco AnyConnect Secure Mobility Client (version 4.7.04056) .
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved.
>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
VPN> connect ikev2-5555
>> contacting host (ikev2-5555) for login information...
>> notice: Contacting ikev2-5555.
>> Please enter your username and password.
Username: [{redacted}]
Password: [redacted]
>> notice: Please respond to banner.
You are now connected to the {redacted} network. During this unusual time the {redacted} VPN service is critically important in delivering access to the {redacted} community. Streaming services like Netflix and Youtube will be blocked through the VPN tunnel until further notice.
accept? [y/n]: y
>> notice: Establishing VPN session...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> notice: Establishing VPN - Examining system...
>> notice: Establishing VPN - Activating VPN adapter...
>> state: Connecting
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Configuring system...
>> notice: Establishing VPN...
>> state: Connected
>> notice: Connected to ikev2-5555.
VPN> disconnect
>> state: Disconnecting
>> notice: Disconnect in progress, please wait...
>> state: Disconnecting
>> notice: Disconnect in progress, please wait...
>> state: Disconnecting
>> state: Disconnected
>> notice: Ready to connect.
>> state: Disconnected
4. Observe in Wireshark - no traffic on port TCP/443 - I see only (source UDP/500 and UDP/4500) ISAKMP and ESP traffic - so answered own question - AnyConnect can be independent of SSL.
05-19-2020 04:54 AM - edited 05-19-2020 04:58 AM
Indeed - that's it exactly.
TLS is only required with an IKEv2 remote access VPN if you want the client services - e.g the portal and the ability to update the profile from the headend. If you don't need either it can work purely over the ISAKMP (udp/500 and, if there's NAT Traversal, udp/4500) and ESP (protocol 50) IPsec-related protocols as you observed.
05-19-2020 05:36 AM - edited 05-19-2020 05:42 AM
Using the above manually created AnyConnect profile, in Wireshark, I saw no attempt to connect to head-end using SSL. In fact, during testing, I denied SSL access to head-end on edge router - leading to two questions:
1. Isn't AnyConnect designed to automatically utilise IKEv2+ESP if SSL is unavailable? If so, how come I need the profile to explicitly specify "IPsec" for "PrimaryProtocol" - wouldn't failure to connect to head-end using SSL be sufficient to use IPsec?
2. Above vpncli printouts:
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
Seem fake, given that these "client-services" require SSL that isn't available - no?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide