Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1455
Views
0
Helpful
2
Replies

Windows Task Scheduler VPNCLI.exe Unable to retrieve logon information to verify compliance

PaulKim85259
Level 1
Level 1

‎01-16-2021 09:34 AM

Hey everyone, I am having some issues trying to create a Windows scheduled task to connect to a vendor VPN.  The batch script is as follows:

 

taskkill /F /IM vpnui.exe
taskkill /F /IM vpncli.exe
net stop vpnagent
net start vpnagent
"c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s < "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\answers.dat" >> "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\BatchScripts\log.txt"

The "answers.dat" file has the connection credentials that I am passing in as arguments:

 

connect [vendor dns]
[vendor vpn profile]
[user name]
[password]

Running this scheduled task WHILE logged into the remote desktop works, but when I am not logged onto the RDP, I get the following message in my log file:

 

>> state: Connecting
>> notice: Establishing VPN session...
>> notice: The AnyConnect Downloader is performing update checks...
>> notice: Checking for profile updates...
>> notice: Checking for product updates...
>> notice: Checking for customization updates...
>> notice: Performing any required updates...
>> notice: The AnyConnect Downloader updates have been completed.
>> state: Connecting
>> notice: Establishing VPN session...
>> notice: Establishing VPN - Initiating connection...
>> warning: Unable to retrieve logon information to verify compliance with AnyConnect logon enforcement and VPN establishment profile settings. A VPN connection will not be established.
>> warning: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
>> state: Disconnected
VPN> goodbye...

 

I've checked the *.xml in the "%ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" path and the following are set:

 

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>

 

I am thinking that, WHILE a user is not logged into the RDP, Cisco cannot access the profile.xml possibly?  Can anyone provide some clarity on this issue?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎01-16-2021 11:19 PM

Hi,

Try to login to the machine once using the username that runs the
service/script. This will create a profile for it which will include all
required XML files. Then try to execute the script to connect vpn as a
service.

***** please remember to rate useful posts
0 Helpful

PaulKim85259
Level 1
Level 1
In response to Mohammed al Baqari

‎01-25-2021 07:53 AM

Hi Mohammed, 

 

Thank you for your solution.  Unfortunately logging into the remote desktop using the "Author" account did not create an XML profile.  I also set the "When running the task, use the following user account:" to "NT Authority\Local Service".  When running the task while logged in, the log file shows the connection is established.  However, when not logged in, the log file shows the same error message.  

0 Helpful
Customers Also Viewed These Support Documents