Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
9
Replies

Anyconnect Trusted network detected - still attempts to connect

richyvrlimited
Level 1
Level 1

‎06-28-2022 12:46 AM

As per the title, We're using DNS servers to confirm whether a client is on a trusted network. On 1st launch, (and periodically throughout the day as auto-reconnect is on), users are experiencing AnyConnect popping up attempting to connect.

 

The connect fails as I've blocked internal access to the external addresses of the headend.

 

Why is AnyConnect still attempting to connect when it's detected it's on a trusted network?

anyconnect.png

 

Many thanks

Labels:
0 Helpful
9 Replies 9

Marius Gunnerud
VIP
VIP

‎06-28-2022 03:14 AM

Is this an FTD or ASA device?  If FTD is it managed by FMC or FDM?

Could you post the AnyConnect configuration as well as the AnyConnect Client Profile?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

richyvrlimited
Level 1
Level 1
In response to Marius Gunnerud

‎06-28-2022 03:24 AM

Hi Marius,

 

it's an FPR appliance running ASA code. i've sanitised the config below removing any URL's and internal addresses etc.

 

Cheers

 

group-policy "GroupPolicy_xxxxxxxxxxxxxxxx" attributes
dns-server value 10.10.10.10
vpn-simultaneous-logins 150
vpn-tunnel-protocol l2tp-ipsec ssl-client
split-tunnel-policy excludespecified
split-tunnel-network-list value Split-Tunnel
default-domain value shk.nhs.uk
msie-proxy method use-pac
msie-proxy pac-url value http://xxxxxxxxxxxx.uk/wpad.dat
webvpn
anyconnect profiles value xxxxxxxxxxxxx type user
always-on-vpn profile-setting

tunnel-group xxxxxxxxxxxxxxxx_Always_On webvpn-attributes
authentication certificate
group-url https://xxxxxxxxxx.uk/alwayson enable

webvpn
enable OUTSIDE
anyconnect-custom-attr dynamic-split-exclude-domains description dynamic-split-exclude-domains
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.10.04071-webdeploy-k9.pkg 1
anyconnect profiles alwayson disk0:/alwayson.xml
anyconnect enable



<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>Machine</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>true</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>true
<TrustedDNSDomains>xxxxxx.uk</TrustedDNSDomains>
<TrustedDNSServers>All our dns servers are in here</TrustedDNSServers>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
<AlwaysOn>false
</AlwaysOn>
</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<BackupServerList>
<HostAddress>xxxxxxxxx.uk/alwayson</HostAddress>
</BackupServerList>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>true
<UserEnforcement>SameUserOnly</UserEnforcement>
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>yyyy</HostName>
<HostAddress>yyyyyyyyyy.uk</HostAddress>
<UserGroup>alwayson</UserGroup>
</HostEntry>
</ServerList>
</AnyConnectProfile>

0 Helpful

Marius Gunnerud
VIP
VIP
In response to richyvrlimited

‎06-28-2022 03:55 AM

Does 

dns-server value 10.10.10.10

default-domain value shk.nhs.uk

match what is in the configured in trusted DNS servers in the anyconnect client profile?

<TrustedDNSDomains>xxxxxx.uk</TrustedDNSDomains>
<TrustedDNSServers>All our dns servers are in here</TrustedDNSServers>

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

richyvrlimited
Level 1
Level 1
In response to Marius Gunnerud

‎06-28-2022 05:01 AM

The DNS server value is a single entry, however in the xml it contains all DNS servers available under the domain

 

Cheers

0 Helpful

Marius Gunnerud
VIP
VIP
In response to richyvrlimited

‎06-28-2022 05:26 AM

and the dns-domain value? does that match what is in TrustedDNSDomains?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

richyvrlimited
Level 1
Level 1
In response to Marius Gunnerud

‎06-28-2022 06:25 AM

Yep, both domains match, looks like I wasn't perfect in sanitising.....

0 Helpful

Marius Gunnerud
VIP
VIP
In response to richyvrlimited

‎06-29-2022 03:16 AM

Would you be able to try to only use DNSDomains or TrustedDNSServers, and not both of them?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

richyvrlimited
Level 1
Level 1
In response to Marius Gunnerud

‎06-29-2022 03:43 AM

I can try, though within the XML config on ASDM it does state it's recommended to have all the DNS servers added?

 

Cheers

0 Helpful

Marius Gunnerud
VIP
VIP
In response to richyvrlimited

‎06-29-2022 04:02 AM

Yes, if you are using TrustedDNSServers configuration field.  I am suggesting that you either use TrustedDNSServers or TrustedDNSServers not both as you currently have configured.

<TrustedDNSDomains>xxxxxx.uk</TrustedDNSDomains>

or
<TrustedDNSServers>All our dns servers are in here</TrustedDNSServers>

 

I would suggest trying only using TrustedDNSDomains first.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents