cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7353
Views
0
Helpful
3
Replies

AnyConnect Trusted Network Detection (TND) - how does it know it's on a trusted network?

matty-boy
Level 1
Level 1

Hello (and almost Merry Christmas!),

 

Does anyone know exactly how AnyConnect decides if it's on a trusted network? I had a strange fault recently on a customer site where the VPN kept coming up even when the user was on-net. The DART bundle logged the following message:-

 

Untrusted Network detected: Policy is to Connect
(The interface <x.x.x.x> is untrusted, because DNS Domain is not among the configured TND DNS Domain *.my_company.com)

 

Now my first thought was that AnyConnect examines the DNS domain pushed down via DHCP (or statically configured) as reported in an ipconfig /all against the active network adapter for the "Connection-specific DNS Suffix". I came to this conclusion because it was blank for the affected users. However, users at other sites also had a blank entry here but AnyConnect knew it was on the trusted network so did not bring up the VPN.

 

So my question is: how does AnyConnect decide if it's connected to a trusted network or not? Is there some funky AD shizzle that goes on in the background that AnyConnect can somehow tap into and query? Or a registry entry? Or.....?

 

Any help/advice here is very much appreciated!

 

By the way, the underlying problem turned out to be that something went wrong with that site's primary router. It failed over to a 4G backup router that didn't have access to the DCs so that makes sense as the client couldn't talk to the domain. But I still want to know exactly how AnyConnect knows?

 

Many thanks,

Matt.

 

 

3 Replies 3

Hi Matt,
The AnyConnect Client can be configured using the (AnyConnect Profile Editor) to detect whether on a trusted or untrusted network. The profile can be configured with the Trusted DNS Domains and DNS Servers and can be pushed out from the ASA or via AD GPO, it can be configured to disconnect|pause|donothing|connect upon detection of a Trusted Network.

HTH

Hello RJI,

 

Thank you for your response. I am aware that the function is available. In fact I'm using it right now. However, I need to know EXACTLY how AnyConnect detects if it's on trusted network at a low level.

 

Cheers,

Matt.

Well not much information out there, but if the client computer receives via DHCP the DNS Domain Suffix and DNS Servers values which matches the same values defined in the AnyConnect Profile then the computer is considered to be on a trusted network.

You can also define a URL of a server to test reachability (this server should only be accessible on the local network, not via the internet), if this succeeds then the computer is on a trusted network.

HTH