Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3596
Views
10
Helpful
6
Replies

ASA Anyconnect XML Profiles - How are they Updated?

Go to solution
j.a.m.e.s
Level 3
Level 3

‎10-13-2021 05:34 AM

All,

 

I understand that AnyConnect will attempt to download the XML file from the ASA every time it connects to the VPN.

 

1. Does this mean the user needs write access to %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Profiles directory?

2. What does the AnyConnect client do if there are multiple XML files within that directory?

 

Many thanks

James.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-13-2021 07:21 AM

-AFAIK the vpndownloader.exe is responsible for taking care of any changes and new deployments received from the ASA.  Note that the vpndownloader appears every time a connection is established with the ASA VPN which determines if there are any changes in the profiles, group policy, etc. Once changes are done or there are no changes, the vpndownloader exits.

 

In terms of multiple xml profiles though...some of the settings conflict with each other. For example, one profile might enable OnConnect scripting, the next might disable it. Is AnyConnect capable of matching the current VPN connection to the xml file associated with it?

-Each unique profile would have a different HostName xml tag within the profile.  This tag definition is what you would see via AnyConnect gui(vpnui.exe = simply the AnyConnect user interface) in the drop down that @Rob Ingram mentioned. 

Examples:

profile1.xml:<HostName>Profile1</HostName>

profile2.xml:<HostName>Profile2</HostName>

Then in AC UI user would have Profile1 & Profile2 appear.  Each with their own settings etc.  HTH!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎10-13-2021 05:43 AM

@j.a.m.e.s 

I believe SYSTEM has R/W rights not the user to the Profile folder, the AnyConnect client service is using the local system to run. You don't explictly need to set permissions for a user on the folder.

If there are multiple XML profiles then all connection profiles are displayed in the drop down list.

Go to solution
j.a.m.e.s
Level 3
Level 3
In response to Rob Ingram

‎10-13-2021 06:41 AM

That file access makes some sense. If I look carefully in the task manager I can see:

* vpnagent = running with blank username (this is a service running as "local system" I think)

* vpndownloader = starts briefly after connecting, but it's running as my user account

So presumably vpnagent would be responsible for saving the XML to the folder?

 

In terms of multiple xml profiles though...some of the settings conflict with each other. For example, one profile might enable OnConnect scripting, the next might disable it. Is AnyConnect capable of matching the current VPN connection to the xml file associated with it?

 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-13-2021 07:21 AM

-AFAIK the vpndownloader.exe is responsible for taking care of any changes and new deployments received from the ASA.  Note that the vpndownloader appears every time a connection is established with the ASA VPN which determines if there are any changes in the profiles, group policy, etc. Once changes are done or there are no changes, the vpndownloader exits.

 

In terms of multiple xml profiles though...some of the settings conflict with each other. For example, one profile might enable OnConnect scripting, the next might disable it. Is AnyConnect capable of matching the current VPN connection to the xml file associated with it?

-Each unique profile would have a different HostName xml tag within the profile.  This tag definition is what you would see via AnyConnect gui(vpnui.exe = simply the AnyConnect user interface) in the drop down that @Rob Ingram mentioned. 

Examples:

profile1.xml:<HostName>Profile1</HostName>

profile2.xml:<HostName>Profile2</HostName>

Then in AC UI user would have Profile1 & Profile2 appear.  Each with their own settings etc.  HTH!

0 Helpful

Go to solution
j.a.m.e.s
Level 3
Level 3
In response to Mike.Cifelli

‎10-13-2021 10:03 AM

Thanks Mike, I'm going to check this and will post back later on.

0 Helpful

Go to solution
Milos_Jovanovic
VIP Alumni
VIP Alumni

‎10-13-2021 11:07 PM

Hi @j.a.m.e.s,

Next to what @Rob Ingram and @Mike.Cifelli already stated, pay close attention not to have multiple profiles for the same connection. More often that I would like, I'm seeing in customer's environments that they simply create new profile, with new name but with old Hostname/User Group (without deleting old profile on client devices), so profiles are conflicting, and you can never know which one will AC choose. In that case, users start reporting weird behavior, depending on the difference in the profiles (e.g. one profile is instructed to use script, but other isn't).

Also, I never faced an issue in which profile download required privilege elevations, so explicit access for this is not required.

BR,

Milos

Go to solution
j.a.m.e.s
Level 3
Level 3
In response to Milos_Jovanovic

‎10-14-2021 05:39 AM

@Mike.Cifelli 

Thank you for this insight into the XML matching process. My testing also shows Anyconnect is behaving like this.

 

@Milos_Jovanovic @Rob Ingram

Thank you for the advice on making it an unambigous match and the file permissions for the ProgramData dir. I wasn't able to verify this, but if you've never faced an issue, I'm happy with that.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents