Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7298
Views
0
Helpful
0
Replies

Anyconnect Scripting - OnConnect script

Martin Jelinek
Level 1
Level 1

‎04-08-2014 08:39 AM - edited ‎02-21-2020 07:35 PM

Hi all,

I'd like to ask you if you would know any hint what I'm missing or was not able to get from docs.
I'm trying to enable OnConnect script which would run gpupdate once VPN connection is successfully established.

From configuration point of view it should be quite easy, but...

My requirements is to have script locally distributed by our packaging system, basically I don't want to have script locally stored on the ASA so anyone who would connect will download it from ASA VPN. Actually this kind of distribution seems to be working fine (so far what I've tried).

I got problems when script is distributed to clients by our client management system (SCCM).

I have defined AnyConnect profile (.xml) - defined by VPN profile editor,  update with below and also actual script (testing one, just Hello World which is executable from CLI):
- that should be enough to order anyconnect to run a script OnConnect if available (OnConnect_myscript.vbs)
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Contains:
<EnableScripting UserControllable="false">true
    <TerminateScriptOnNextEvent>false</TerminateScriptOnNextEvent>
    <EnablePostSBLOnConnectScript>false</EnablePostSBLOnConnectScript>
</EnableScripting>

We have our VPN served by ASA5540 running version 8.4(4)1
I know that there might be some delay so I added into script delay for 5s.

Is there anything specific what I've missed and needs to be allowed on the ASA VPN device? Any kind of configuration etc..?

What I've also seen is, that when I'm connecting to VPN with anyconnect then on client event viewer I might see some really strange behaviour.
There is EventID 3010, which shows what profile and values have been loaded by AnyConnect, where at the beginning I might see it load correct profile (C:\ProgramData\Cisco...\Profile\profile.xml), but after a while I can see that such profile was loaded again, but with DEFAULT values --> scripting disabled, which I do believe is a problem that such script is not executed.

Chronological order (just summary of important events):
Source - acvpnagent
1)EventID-3001 9:01:21    Loading preferences for the current user from profile C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\eursslvpn.xml
2)EventID-3010 9:01:21     Current Preference settings (they are taken from .xml loaded file and they match)
Source - acvpnui + acvpndownloader
3)EventID1       9:01:56    Loaded profiles: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\eursslvpn.xml
4)EventID3010 9:01:56    Current preference settings     --> they are default, do NOT match what is defined in loaded profile .xml

Do you know what are those Source processes: acvpnagent, acvpnui, acvpndownloader   and what are differences between them or they actual impact on process of anyconnect VPN establishment?

Thank you in advance for any hint.

4 people had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents