05-18-2022 02:57 PM
I have 2 ASA firewalls that I am configuring the AnyConnect app in Azure AD.
Firewall A works fine, SSO takes care of autologon using MFA in Azure AD.
Firewall B also works, but differently. SSO still handles the autologon using MFA in Azure AD, but additionally a web page titled AnyConnect Secure Mobility Client pops up and says "You have successfully authenticated. You may now close this browser tab."
How on this green earth do I turn that off?!?! It only happens on 1 of the firewalls, and both are configured exactly the same, except, of course, for the base URL and the ca cert that is specific to the app.
It is driving me absolutely insane!
Thank you in advance for any assistance!
Solved! Go to Solution.
08-08-2022 06:16 AM
Turns out it was a difference in IOS versions. The one that did NOT have the annoying popup was running 9.10.1, the one that did have the popup was running 9.9.1. Upgraded to 9.10.1, and no popup! Problem solved.
05-18-2022 06:08 PM
Can you please provide the output of show run webvpn
And the screenshot you getting?
Thanks
05-19-2022 06:06 AM
sho run webvpn from firewall that is showing the extra web page:
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2
base-url https://vpn.company.com
trustpoint idp ASDM_MFA_SAML
trustpoint sp 2022_AnyConnect_TrustPoint
no signature
no force re-authentication
tunnel-group-list enable
cache
no disable
error-recovery disable
sho run webvpn from firewall that is working as desired:
webvpn
enable OUTSIDE
anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
anyconnect enable
saml idp https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/
url sign-in https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/saml2
base-url https://vpn.company.com
trustpoint idp ASDM_MFA_SAML
trustpoint sp 2022_AnyConnect_TrustPoint
no signature
no force re-authentication
tunnel-group-list enable
cache
no disable
error-recovery disable
screen shot of the unwanted web site attached.
as stated originally both vpn connections work. it's just that this web site is an annoyance, and we are trying to standardize. not sure why one does this and one doesn't.
05-19-2022 06:18 AM
Are you using any profiles? I just tested mine and it does show me that page but within a blink, it goes away, i am checking my Profiles to remember if there was a setting in addition to minimize the Cisco Anyconnect
05-19-2022 06:54 AM
I'll put it this way. I am not intentionally using any profiles. Let me check when I get back from my data center run, and I'll see what I can find out.
05-19-2022 07:59 AM
This is from the firewall with the page popup:
group-policy REMOTE_ACCESS_POLICY attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 3
vpn-idle-timeout 5
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
split-dns value company.com
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 20
anyconnect profiles value Annyconnect_VPN_Profile type user
anyconnect ask none default anyconnect
always-on-vpn profile-setting
This is from the firewall that works as desired:
group-policy REMOTE_ACCESS_POLICY attributes
wins-server none
dns-server value x.x.x.x
vpn-simultaneous-logins 3
vpn-idle-timeout 5
vpn-session-timeout 720
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
split-dns value company.com
webvpn
anyconnect keep-installer installed
anyconnect dpd-interval client 20
anyconnect profiles value anyconnect-vpn-company_client_profile type user
anyconnect ask none default anyconnect
always-on-vpn profile-setting
Other references to profiles come from a copy of this policy made by a previous engineer, and the profile reference under the call-home settings. Otherwise, I'm not finding anything different other than names.
05-19-2022 10:02 AM
Can you compare the two profiles in this scenario. I see there are two profiles here:
Annyconnect_VPN_Profile
anyconnect-vpn-company_client_profile
You can use the VPN profile editor or use notepad++ to compare both XML files while I check on my side as well.
Thanks
05-19-2022 11:00 AM
So, here's an issue. The profile editor is completely blank! No profiles. Not sure how this has ever worked with standard AnyConnect let alone how the first firewall is working with SAML config! No xml files except for a file called data.xml in a directory called sdesktop on disk0:. Now I'm really confused!
05-19-2022 11:47 AM
This is interesting, your policy says there are profiles configured and chose
Can you do the output of show disk0:
check your local computer as well, its under C>Program Data>Cisco>Anyconnect>Profiles
changes to the way Anyconnect window behaves is generally done under profiles
05-19-2022 12:35 PM
--#-- --length-- -----date/time------ path
12 4096 Dec 05 2016 11:06:14 log
14 2546 Nov 24 2021 14:35:11 log/asa-appagent.log
25 4096 Oct 04 2013 15:09:42 crypto_archive
28 4096 Oct 04 2013 15:09:52 coredumpinfo
29 59 Oct 04 2013 15:09:52 coredumpinfo/coredump.cfg
130 89837568 Dec 05 2016 10:41:22 asa962-smp-k8.bin
131 26053720 Dec 05 2016 10:44:46 asdm-762-150.bin
132 4096 Jan 10 2014 03:07:08 tmp
133 5205 Feb 11 2014 06:44:24 oldconfig_2014Feb11_1943.cfg
134 12998641 Oct 04 2013 15:18:02 csd_3.5.2008-k9.pkg
135 4096 Oct 04 2013 15:18:02 sdesktop
151 1462 Oct 04 2013 15:18:02 sdesktop/data.xml
136 110020608 Feb 15 2018 21:45:14 asa991-smp-k8.bin
137 74680647 Jan 21 2020 12:24:20 anyconnect-win-4.8.01090-webdeploy-k9.pkg
138 524266 Mar 04 2020 19:42:48 test.pcap
139 657108 Apr 11 2021 23:39:44 crashinfo_20210411_233930_UTC
26 4096 Mar 07 2014 09:12:36 snmp
27 4 Mar 07 2014 09:12:36 snmp/single_vf
140 671363 Aug 27 2021 16:24:04 crashinfo_20210827_162350_UTC
141 658926 Nov 22 2021 16:53:34 crashinfo_20211122_165322_UTC
142 653268 Nov 24 2021 14:32:58 crashinfo_20211124_143246_UTC
143 656682 Oct 08 2020 19:02:54 crashinfo_20201008_190242_UTC
153 34143680 May 17 2022 15:38:43 asdm-7101.bin
None of the XML files on my local machine make any reference to the URL that is coming up. Not sure which tag to look at.
05-19-2022 01:38 PM
not sure what tags to look for in the profile xml files on the local machine.
here's a list of my files from the broken firewall
--#-- --length-- -----date/time------ path
100 108563072 Nov 19 2019 13:58:48 asa982-lfbff-k8.SPA
101 26970456 Nov 19 2019 13:59:18 asdm-782.bin
102 63 May 09 2022 23:13:59 .boot_string
11 4096 Nov 19 2019 14:02:28 log
111 625 Jan 24 2020 14:41:32 log/asa-appagent.log
103 74680647 Jan 22 2020 11:56:28 anyconnect-win-4.8.01090-webdeploy-k9.pkg
104 614974 Jan 24 2020 14:39:38 crashinfo_20200124_143815_UTC
105 111335824 Jan 24 2020 14:56:54 asa984-15-lfbff-k8.SPA
112 4096 Apr 22 2022 08:26:58 snmp
113 4 Apr 22 2022 08:26:58 snmp/single_vf
22 4096 Nov 19 2019 14:06:46 coredumpinfo
23 59 Nov 19 2019 14:06:46 coredumpinfo/coredump.cfg
21 4096 Jan 16 2020 08:58:36 crypto_archive
05-31-2022 07:36 AM
Anyone have any other thoughts on this?
05-31-2022 07:39 AM
Sorry James... I got busy... I will look more into it while someone here tries to assist as well.
05-31-2022 08:14 AM
i understand busy! it's all good, was just curious if anyone could explain what was up with it. seems odd, unless it's a code version difference. one that works is 9.10 and the one that has the web page to manually close is 9.9. wouldn't think that would cause such a difference, but who knows.
05-31-2022 09:44 AM - edited 05-31-2022 09:47 AM
I have seen that new page recently on a customer deployment that's using Duo SSO for SAML authentication. I wasn't sure if it was something on the SSO provider side or not. The mini-browser page does auto-close after a few seconds.
I have another customer with a different iDP for SAML auth and their website does not show the success page at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide