cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28356
Views
9
Helpful
10
Replies

AnyConnect Secure Mobility Client Multiple Profiles

rsaritzky99
Level 1
Level 1

Hi,

I have multiple clients that use multiple versions of VPNs including Cisco, Sonicwall and others.

I have a client with the (older) "Cisco Systems VPN Client".  Then I got a new client with instructions to install the "Cisco AnyConnect Secure Mobility Client".  Without warning, the installation uninstalled what I now believe was an older version of this same VPN client - but the name has changed, the installation directories have changed, etc.

OK, but the new client wiped out the connection parameters to the old client.

I've tried to read and understand the other discussion entries about storing multiple "profiles" (i.e. vpn connections).  Other VPN clients have a menu option or a simple way to add a connection, but it seems more challenging to do this with the AnyConnect client.  However, I read, and tried to set up, multiple profiles.  From the other discussions, I followed these steps:

1. Located the (hidden in Windows 7) following directory:

     %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

2.  Created two xml files, "Client1.xml" and "Client2.xml" in this directory. containing

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">

  <ServerList>

    <HostEntry>

      <HostName>Client1HostName</HostName>

      <HostAddress>Client1HostaddressDNS</HostAddress>

      <PrimaryProtocol>IPsec</PrimaryProtocol>

    </HostEntry>

  </ServerList>

</AnyConnectProfile>

{And a similar file for Client2}

There was another discussion thread that had more lines in the xml file, which I also tried.  Again, I created 2 separate xml files, each one with the respective client's parameters.

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">

<ServerList>

     <HostEntry>

          <User>navadmin</User>

          <SecondUser></SecondUser>

          <ClientCertificateThumbprint></ClientCertificateThumbprint>

          <ServerCertificateThumbprint></ServerCertificateThumbprint>

          <HostName>Client1</HostName>

          <HostAddress>Client1DNS</HostAddress>

          <Domain></Domain>

          <Group>ssl_url</Group>

          <ProxyHost></ProxyHost>

          <ProxyPort></ProxyPort>

          <SDITokenType>none</SDITokenType>

          <ControllablePreferences>

          <LocalLanAccess>true</LocalLanAccess></ControllablePreferences>

     </HostEntry>

</ServerList>

</AnyConnectProfile>

I then quit the AnyConnect Secure Mobility Client and restarted, hoping that I would get a dropdown list that contained "Client1" and "Client2".  This did not happen.

Prior to trying this, I did NOT delete the "Preferences.xml" file in the following directory:

C:\users\<myusername>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client

This is where the Anyconnect client stored the connection info when I manually input it into the GUI.

So, my questions are:

1.     Do I need to delete the preferences.xml in order for the profiles in the other directory to be read and displayed in the client dropdown?

2.     Are there naming conventions for the profile xml files that I'm not following by calling them "Client1.xml" and "Client2.xml"?

3.     Any other ideas as to why this isn't working?

4.     There are also references to a "profile editor", but the discussion threads aren't clear whether this utility is installed when you just install the client software, or if you have to have some sort of "administrator package" installed.  If so, is this package available for download, or do you need to purchase a full VPN client license in order to have access to this utility?

Thanks,

Ron

10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

1) I do not believe that deleting the preferences.xml will solve your problem. But I am certainly not authoritative on this.

2) When you establish a connection using AnyConnect the VPN device will download its profile file - if it is configured with a unique profile. Note that an xml profile is not required for AnyConnect and I have some customers who have implemented AnyConnect with no xml profile. If they have implemented xml profiles it is almost certain that they did not name it client1 or client2 and so I believe that your profiles will do no good.

3) not sure at this point.

4) I loaded the profile editor. I am pretty sure that it was available on Cisco.com, and probably through the software download pages, which may mean that you have to have software download privileges to get it. And I think that the profile editor will do you little or no good. It is mostly for people who are implementing AnyConnect VPN servers and want to customize their xml profiles.

The AnyConnect profiles are quite different from the profiles used by the traditional Cisco IPSec VPN client. For the traditional client there was a pcf for each connection and the profile included the connection information. The AnyConnect client does not work the same way and does not use its profile in the same way. I know that when I start AnyConnect the drop down will have connection information for some of the customer sites that I work with and does not contain connection informatoin for others. For these others I just need to remember and type in the connection information. I do not believe that there is much that you can do in your AnyConnect client to control what connections will show up in the drop down list.

HTH

Rick

HTH

Rick

Thanks Rick,

Based on what you said below, it seems like there's still a bit of a mystery as to how you can set up the connection "drop down" list to contain information for multiple connections.  Since there is a drop-down, I am making the assumption that there is a way.

Does anyone else understand the connection between profiles, the xml file and multiple "configurations" to access multiple vpn's?

Thx

Ron

Richard Burts wrote:

The AnyConnect client does not work the same way and does not use its profile in the same way. I know that when I start AnyConnect the drop down will have connection information for some of the customer sites that I work with and does not contain connection informatoin for others. For these others I just need to remember and type in the connection information. I do not believe that there is much that you can do in your AnyConnect client to control what connections will show up in the drop down list.

Rick

Ron

You are quite welcome. I hope that perhaps someone who knows more about it may suggest a way to put more connections into the drop down.

HTH

Rick

HTH

Rick

I know this is an old thread (but since it comes up in google search results it's still valid).

The answer is simple:

To create more connections in the drop-down: you just blank what's there and type them in!

so in your example below, blank out Client1hostname and manually type Client2hostname. It will connect and ask for user/pass etc. From then on it will be in the list!

Intuitive? NOT!

-M

RSRathore_2
Level 1
Level 1

The Client1.xml and Client2.xml files that you created have correct content but wrong names. You only need 1 file called Profile.xml and inside you can then add multiple hosts by adding the nodes.

So your Profile.xml would look like this -

http://schemas.xmlsoap.org/encoding/">

 

   

      Client1HostName

      Client1HostaddressDNS

      IPsec

   

   

      Client2HostName

      Client2HostaddressDNS

      IPsec

   

 

I hope this helps.

Ratan.

Thank you. Adding another HostEntry section to the profile worked. It sure would be nice (and save me a lot of time!) if the client provided a way to add or import this information via the UI. Can't imagine why or how that was left out so far.

Just to add to this.. open the file in a good reader like notepad++ just add a new entry (4 lines)  in-between <Server list > 

<ServerList>
<HostEntry>
<HostName>***NAME 1***</HostName>
<HostAddress>***DNS NAME or IP***</HostAddress>
</HostEntry>
<HostEntry>
<HostName>***NAME 2***</HostName>
<HostAddress>***DNS NAME or IP***</HostAddress>
</HostEntry>
</ServerList>

Actually folks the correct method is designed to be controlled by the administrator of the ASA (or router - much less common) headend that is serving up the VPNs.

They have an option of including a AnyConnect client profile (default name is profile.xml but it can and should be changed to be unique) to be downloaded to connecting clients upon first connection. Following that occurence, AnyConnect will check the client copy each time to see if is has the newest version as stored on the headend ASA.

If you want or need to create additional profiles and your ASA admin has not provided them as part of the VPN setup, you can create separate profile files locally on your computer. The default location is in the hidden folder "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" for most recent versions of Windows. (the AnyConnect admin guide lists all the locations for all supported operating systems and versions.)

Each remote access VPN should have its own unique profile. The profile governs potentially many aspects of the VPN behavior - the remote host name or address is just one of them.

The listing of available profiles in the dropdown list is based on the contents of the directory when the GUI is launched. Note that just closing the GUI drops it to the system tray - to relaunch it fresh you need to actually stop the "Cisco AnyConnect User Interface" process from task manager (or log out and then back in, reboot etc.)

Marvin and others, thanks for the reply to this old thread. The Use Case that I have is as follows... As an vendor, I work with many different clients who happen to use AnyConnect. So I need to configure my AnyConnect client to work with multiple VPN's. Clients are usually happy to send the appropriate profile files or details - and I can edit the configuration file in use or switch them around - but would much rather have a UI in the app that I could use to enter another connection. I am guessing this is just a use case that was not really anticipated or considered. Additionally it is probably not one that many people care about too much. At the same time, it would seem like a pretty easy problem to solve given the length and breadth of AnyConnect adoption.

You're welcome Paul - I share your use case. I work for a Cisco partner - I just happen to also be a network security engineer who works with ASAs and other Cisco security products almost every day. :)

There is a client side UI that can be used - although it's a bit of overkill since it's designed for AnyConnect admins to create profiles for pre-deployment.

It's the AnyConnect Profile Editor - VPN (there are also modules for all the other AnyConnect features - NAM, ISE Posture, Web Security, NVM, etc.). It can be downloaded by anyone with an active AnyConnect licenses associated with their cisco.com account.