10-26-2017 12:20 AM - edited 03-12-2019 04:40 AM
Currently using ASDM 7.8(1) and AnyConnect 3.1.13015
For the preferences_global.xml stored in programdata, how is this file built?
Specifically the entries,
<DefaultHostName>vpn.contoso.com</DefaultHostName>
<DefaultHostAddress>1.2.3.4:443</DefaultHostAddress>
Where are these entries being pulled from? I've tried overwriting them on the local PC, but they immediately revert back to the previous values when the VPN is reconnected.
Thank you in advance!
Solved! Go to Solution.
10-30-2017 08:05 AM
I've determined the cause of this issue.
The AnyConnect Client Profile, StartBeforeLogon, had identical entries for the Host Display Name and FQDN.
I've changed the Host Display Name to VPN SBL
This issue then corrected itself.
Now if this was the only AnyConnect Client Profile on the ASA, I would argue that despite identical names, the issue wouldn't have shown up and everything would function normally.
However, this particular ASA has at least 13 profiles, all with identical Host Display Names (but different User Groups). I suspect this issue has been with us the whole time, but only materialized when we decided to turn on support for Start Before Logon.
So, issue resolved, thank you for your time!
Alfredo
10-26-2017 05:59 AM
10-26-2017 07:34 AM
Thank you for your quick response!
The reason for editing the preferences_global.xml file is that I'm currently troubleshooting an AnyConnect Client Profile that has Start Before Logon enabled with authentication being handled by certificates. The AnyConnect client can successfully log in to the ASA with this profile while the Windows users is logged in. However, the AnyConnect client can not log in when the Windows user is at the Windows login prompt. The error given by AnyConnect is
AnyConnect cannot confirm it is connected to your secure gateway. The local network
may not be trustworthy.
After reading through the documentation, it sounds like Cisco AnyConnect uses the preferences_global.xml file for it's Start Before Logon module, and I assumed it's trying to source the host address specified in there. However, the host address specified in the preferences_global.xml file is an IP, not an FQDN, which I'm guessing is why the certificate authentication fails.
The AnyConnect profile that we're using has the FQDN specified for the server host address.
<ServerList>
<HostEntry>
<HostName>vpn.contoso.com</HostName>
<HostAddress>vpn.contoso.com</HostAddress>
<UserGroup>startbeforelogon</UserGroup>
I'm at a loss on why the IP address of the VPN is being placed in the preferences_global.xml file is not the FQDN.
Again, thank you for your help with this!
10-26-2017 05:27 PM
10-30-2017 08:05 AM
I've determined the cause of this issue.
The AnyConnect Client Profile, StartBeforeLogon, had identical entries for the Host Display Name and FQDN.
I've changed the Host Display Name to VPN SBL
This issue then corrected itself.
Now if this was the only AnyConnect Client Profile on the ASA, I would argue that despite identical names, the issue wouldn't have shown up and everything would function normally.
However, this particular ASA has at least 13 profiles, all with identical Host Display Names (but different User Groups). I suspect this issue has been with us the whole time, but only materialized when we decided to turn on support for Start Before Logon.
So, issue resolved, thank you for your time!
Alfredo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide