Solved: Re: Anyconnect Profile Server List ignored

gaigl · ‎07-31-2018

Hello,

we've got a ASA5525-X, v 9.8.2-33 and Anyconnect v 4.6.01103, authentication with Cert, SBL working, Anyconnect is connecting to "vpn.company.com/anyconnect", so everything's fine.

Now I want a Test-PC connect to a Test-ASA with an external adress "vpntest.company.com/anyconnect"

So on the Test-ASA I create a Anyconnect-Profile with the external adress in the Server List.

I export the xml-file copy it on the PC under ./Profile/ now I restart the PC, but the PC always connects to the produktive ASA (vpn.company.com/anyconnect), if I manually want to enter the other adress, I can't connect because of cert in machine store.

Question: doesn't the client read the adress from the xml-file? If I check the file, everything is fine.

Any idea where to search?

content of profile.xml:

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>Machine</CertificateStore>
		<CertificateStoreMac>All</CertificateStoreMac>
		<CertificateStoreOverride>true</CertificateStoreOverride>
		<ProxySettings>IgnoreProxy</ProxySettings>
		<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
		<AuthenticationTimeout>12</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="false">true</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="false">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="false">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="false">true</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="false">false</ClearSmartcardPin>
		<IPProtocolSupport>IPv4</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
		</AutoReconnect>
		<AutoUpdate UserControllable="false">true</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLogon</WindowsLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Disable
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">true
			<TerminateScriptOnNextEvent>false</TerminateScriptOnNextEvent>
			<EnablePostSBLOnConnectScript>true</EnablePostSBLOnConnectScript>
		</EnableScripting>
		<CertificateMatch>
			<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
			<ExtendedKeyUsage>
				<ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
			</ExtendedKeyUsage>
		</CertificateMatch>
		<EnableAutomaticServerSelection UserControllable="false">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>vpntest.company.com/anyconnect</HostName>
			<HostAddress>vpntest.company.com</HostAddress>
			<UserGroup>anyconnect</UserGroup>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

Rahul Govindan · ‎08-03-2018

You may have to delete the preferences.xml and preferences_global.xml, quit the client and try again.

preferences.xml is located under C:\Users\<PCusername>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

preferences_global.xml is located under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client

Preferences file saves some settings from the last gateway it connected to. Deleting this should recreate this once you connect successfully to the testASA.

View solution in original post

pcarco · ‎07-31-2018

Hello,

Does vpntest.company.com dns resolve to the same ip on the ASA as vpn.company.com ?

I assume you see more than one profile in the profile directory if after placing the profile on the machine and stopping/starting AnyConnect service or of course rebooting do you see the vpntest.company.com in the pull-down ? Does the original profile have always-on configured ?

Best regards,
Paul

gaigl · ‎07-31-2018

Hello Paul,

- DNS resolves different adresses, the test- and prod ASA's are completely seperated

- no, only one active profiles (I changed the other xml-files to .old or so) and I don't want a drop-down for the users, they shouldn't have to enter anything.

- no, no always-on activated

best regards

Karl

Rahul Govindan · ‎08-03-2018

You may have to delete the preferences.xml and preferences_global.xml, quit the client and try again.

preferences.xml is located under C:\Users\<PCusername>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

preferences_global.xml is located under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client

Preferences file saves some settings from the last gateway it connected to. Deleting this should recreate this once you connect successfully to the testASA.

gaigl · ‎08-05-2018

That was it, thank you very much