Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13933
Views
0
Helpful
4
Replies

Modify preferences_global.xml

Go to solution
Alfredo_1
Level 1
Level 1

‎10-26-2017 12:20 AM - edited ‎03-12-2019 04:40 AM

Currently using ASDM 7.8(1) and AnyConnect 3.1.13015

 

For the preferences_global.xml stored in programdata, how is this file built?

 

Specifically the entries,

<DefaultHostName>vpn.contoso.com</DefaultHostName>
<DefaultHostAddress>1.2.3.4:443</DefaultHostAddress>

 

Where are these entries being pulled from?  I've tried overwriting them on the local PC, but they immediately revert back to the previous values when the VPN is reconnected.

 

Thank you in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alfredo_1
Level 1
Level 1
In response to Rahul Govindan

‎10-30-2017 08:05 AM

I've determined the cause of this issue.

 

The AnyConnect Client Profile, StartBeforeLogon, had identical entries for the Host Display Name and FQDN.

 

 Cisco1.JPG

 

I've changed the Host Display Name to VPN SBL

 

Cisco2.JPG

 

This issue then corrected itself.

 

Now if this was the only AnyConnect Client Profile on the ASA, I would argue that despite identical names, the issue wouldn't have shown up and everything would function normally.

 

However, this particular ASA has at least 13 profiles, all with identical Host Display Names (but different User Groups).  I suspect this issue has been with us the whole time, but only materialized when we decided to turn on support for Start Before Logon.

 

So, issue resolved, thank you for your time!

 

Alfredo

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎10-26-2017 05:59 AM

The preferences update based on the last connection attempt. For a user, the file location is
"C:\Users\<username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client". You can edit that file, but this will automatically change based on the last connection. What is the reason for editing this file?
0 Helpful

Go to solution
Alfredo_1
Level 1
Level 1
In response to Rahul Govindan

‎10-26-2017 07:34 AM

Thank you for your quick response!

 

The reason for editing the preferences_global.xml file is that I'm currently troubleshooting an AnyConnect Client Profile that has Start Before Logon enabled with authentication being handled by certificates.  The AnyConnect client can successfully log in to the ASA with this profile while the Windows users is logged in.  However, the AnyConnect client can not log in when the Windows user is at the Windows login prompt.  The error given by AnyConnect is

AnyConnect cannot confirm it is connected to your secure gateway. The local network 
may not be trustworthy. 

 After reading through the documentation, it sounds like Cisco AnyConnect uses the preferences_global.xml file for it's Start Before Logon module, and I assumed it's trying to source the host address specified in there.  However, the host address specified in the preferences_global.xml file is an IP, not an FQDN, which I'm guessing is why the certificate authentication fails.

 

The AnyConnect profile that we're using has the FQDN specified for the server host address.

<ServerList>
<HostEntry>
<HostName>vpn.contoso.com</HostName>
<HostAddress>vpn.contoso.com</HostAddress>
<UserGroup>startbeforelogon</UserGroup>

 

I'm at a loss on why the IP address of the VPN is being placed in the preferences_global.xml file is not the FQDN.

 

Again, thank you for your help with this!

 

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Alfredo_1

‎10-26-2017 05:27 PM

You are correct that the preferences_global.xml file is used for SBL. Since the user has not logged on at that point, it does not have a user specific preference file to pick it up from. That being said, the only time I think the preference would be updated in your case is when you connect to the ASA and the ASA pushes a profile that has been uploaded to it for that particular group-policy. Can you verify the profile on the ASA has the same "HostName" and "HostAddress" fields as what you mentioned here? Also, try deleting the preferences_global.xml file from the folder and see if it still populates with the same fields after attempting an SBL connection.
0 Helpful

Go to solution
Alfredo_1
Level 1
Level 1
In response to Rahul Govindan

‎10-30-2017 08:05 AM

I've determined the cause of this issue.

 

The AnyConnect Client Profile, StartBeforeLogon, had identical entries for the Host Display Name and FQDN.

 

 Cisco1.JPG

 

I've changed the Host Display Name to VPN SBL

 

Cisco2.JPG

 

This issue then corrected itself.

 

Now if this was the only AnyConnect Client Profile on the ASA, I would argue that despite identical names, the issue wouldn't have shown up and everything would function normally.

 

However, this particular ASA has at least 13 profiles, all with identical Host Display Names (but different User Groups).  I suspect this issue has been with us the whole time, but only materialized when we decided to turn on support for Start Before Logon.

 

So, issue resolved, thank you for your time!

 

Alfredo

0 Helpful
Customers Also Viewed These Support Documents