Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7353
Views
0
Helpful
3
Replies

AnyConnect Trusted Network Detection (TND) - how does it know it's on a trusted network?

matty-boy
Level 1
Level 1

‎12-20-2018 03:43 PM - edited ‎12-20-2018 03:43 PM

Hello (and almost Merry Christmas!),

 

Does anyone know exactly how AnyConnect decides if it's on a trusted network? I had a strange fault recently on a customer site where the VPN kept coming up even when the user was on-net. The DART bundle logged the following message:-

 

Untrusted Network detected: Policy is to Connect
(The interface <x.x.x.x> is untrusted, because DNS Domain is not among the configured TND DNS Domain *.my_company.com)

 

Now my first thought was that AnyConnect examines the DNS domain pushed down via DHCP (or statically configured) as reported in an ipconfig /all against the active network adapter for the "Connection-specific DNS Suffix". I came to this conclusion because it was blank for the affected users. However, users at other sites also had a blank entry here but AnyConnect knew it was on the trusted network so did not bring up the VPN.

 

So my question is: how does AnyConnect decide if it's connected to a trusted network or not? Is there some funky AD shizzle that goes on in the background that AnyConnect can somehow tap into and query? Or a registry entry? Or.....?

 

Any help/advice here is very much appreciated!

 

By the way, the underlying problem turned out to be that something went wrong with that site's primary router. It failed over to a 4G backup router that didn't have access to the DCs so that makes sense as the client couldn't talk to the domain. But I still want to know exactly how AnyConnect knows?

 

Many thanks,

Matt.

 

 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎12-21-2018 03:56 AM

Hi Matt,
The AnyConnect Client can be configured using the (AnyConnect Profile Editor) to detect whether on a trusted or untrusted network. The profile can be configured with the Trusted DNS Domains and DNS Servers and can be pushed out from the ASA or via AD GPO, it can be configured to disconnect|pause|donothing|connect upon detection of a Trusted Network.

HTH
0 Helpful

matty-boy
Level 1
Level 1
In response to Rob Ingram

‎12-21-2018 04:02 AM

Hello RJI,

 

Thank you for your response. I am aware that the function is available. In fact I'm using it right now. However, I need to know EXACTLY how AnyConnect detects if it's on trusted network at a low level.

 

Cheers,

Matt.

0 Helpful

Rob Ingram
VIP
VIP
In response to matty-boy

‎12-21-2018 08:07 AM

Well not much information out there, but if the client computer receives via DHCP the DNS Domain Suffix and DNS Servers values which matches the same values defined in the AnyConnect Profile then the computer is considered to be on a trusted network.

You can also define a URL of a server to test reachability (this server should only be accessible on the local network, not via the internet), if this succeeds then the computer is on a trusted network.

HTH
0 Helpful
Customers Also Viewed These Support Documents