Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
0
Helpful
0
Replies

OnConnect script not running

timliu
Level 1
Level 1

‎07-28-2020 04:42 AM

ASDM version: 7.8(2)151
ASA version: 9.8(2)28
Device type: ASA5555
Java version 1.8.0_181

 

AnyConnect version 4.8.01090

 

The short of it is:

  1. trying to mount drives on connect
  2. used VPN profile editor to create a profile that defines the hostname and enable scripting (see bottom of post)
  3. script and profile are deployed via Intune file copy to the appropriate locations (profile and script)
  4. the customized hostnames appears when running AnyConnect for the first time
  5. however, upon connecting, AnyConnect gives the 'AnyConnect reconnecting' a few times before settling in a connected state
  6. it doesn't appear as if the commands are executed at all (part of scripts creates a directory with more .BAT files.)
  7. the .BAT file executes manually under a user (both the straight .BAT, and also the .PS1 that executes a .BAT), but does not execute at all (even simple 'echo' or 'write').

I've done it multiple methods (from: https://community.cisco.com/t5/vpn/cisco-anyconnect-vpn-onconnect-scripts-using-powershell/m-p/3332839#M121024):

  • I’ve tried to run a .PS1 script using the .bat file method, and while it can execute if I run it manually - the script does not run on connect.
  • powershell.exe -ExecutionPolicy Bypass -File "%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script\drives.ps1"


There’s no answer on: https://community.cisco.com/t5/vpn/anyconnect-onconnect-script-not-launching/m-p/3743031#M147447 - not sure what the OP arrived at, ultimately.

 

This page seems to have a clear path forward: https://www.petenetlive.com/KB/Article/0001353 - but I'm hesitant to mess around too much on ASDM - I'm not familiar with it, and would rather deploy things at the local machine.  There's no profile (default or otherwise on the ASA, but, I'm concerned that my custom profile is getting overridden by the [default] profile which does not allow for script execution.

 

So... my questions here:

  • where do I find the log to check what exactly is going wrong with the script execution
  • how can I confirm that my custom profile is getting accepted properly?
  • are there other ways around?

 

 

 

Example of profile:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">true
<TerminateScriptOnNextEvent>false</TerminateScriptOnNextEvent>
<EnablePostSBLOnConnectScript>true</EnablePostSBLOnConnectScript>
</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>vpn.company.com</HostName>
</HostEntry>
</ServerList>
</AnyConnectProfile>
1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents