Proxy issue with AnyConnect SBL

Answered Question
Jun 22nd, 2010

Hi,

I recently added the following line to our AnyConnect .xml profile:

<ProxySettings>IgnoreProxy</ProxySettings>

We use a proxy server internally in our network, so when the client computers were set up for this, they couldn't connect to our ASA with AnyConnect when they were off-site. The setting above in their profile fixed this, so even though proxy was enabled in their IE, they could connect with AnyConnect when roaming. So far so good.

Yesterday I added the following to our configuration:

group-policy TEST attributes

   msie-proxy method use-server

   msie-proxy server value ip.ip.ip.ip:port

   msie-proxy local-bypass enable

This config was to make sure that the user's proxy is enabled when connected to VPN. According to Cisco doc the proxy settings on the client should automatically revert to the original settings when disconnecting. All this also works as intended.

But then here comes the funny thing (which isn't funny at all really):

When booting the client computer and starting the AnyConnect client before Windows logon (SBL), I get the attached prompt when trying to connect! This only happens with SBL - not when the user is logged in and then starts the VPN client. I have tried with various proxy user auth that I know are working, but I can't get through, and therefor can't connect before Windows logon. According to Cisco doc, the proxy settings should apply AFTER VPN logon - but it seems it tries to use them BEFORE the connection attempt when using SBL.

Does anyone know why this happens? And can anyone come up with a solution (besides disabling the proxy settings just made)?

Thanks in advance - much appreciated!

/Rasmus

Attachment: 
I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 5 months ago

Rasmus,

Bad news ... I checked the "fixed-in" field in the bugs.

002.005(1002)  and 002.005(2000)

meaning - they will be fixed in new release.

Symptom:
The "IgnoreProxy" setting in the AnyConnect XML profile is not functioning when Start Before Login (SBL) is also enabled.

Conditions:
Problem first observed on AnyConnect 2.4.1012 when "IgnoreProxy" is set in the xml profile. Using Start Before Login feature (SBL). Using GPOs to set the proxy before login. Most noticable when the Proxy that is set is internal/private because the AnyConnect will not be able to reach the headend device to make the anyconnect connection due to the proxy being set. Confirmed the profile is active. The "IgnoreProxy" setting in the profile is working for a non-SBL connection.

Workaround:
1. This does work without SBL. For instance If you cancel SBL, logon to windows in the usual way and then start the Anyconnect client. If you then disconnect and reconnect the AnyConnect it does indeed ignore the configured proxy.
2. Disable GPO settings that push the proxy before login.
Note: If you are using GPO to launch scripts, be aware AnyConnect also now has a OnConnect scripting feature to launch scripts as well
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Tue, 06/22/2010 - 08:00

Rasmus,

I will be first to admit I might not be the best person to advise on this - it's ages since I dealt with SBL but AFAIR, AC will ready profile setting from ... Local user or All users  Documents and settings/Cisco/Anyconnect folder.

Also what are the defaults in proxy config on your IE?

Can you check that for me?

Marcin

edit. Fixed typos and directory.

rate Tue, 06/22/2010 - 22:48

Hi Marcin,

Thanks for your reply.

Default setting in IE is proxy enabled.

This is from Cisco's official doc on AnyConnect:

You can configure a group policy to download private proxy settings configured in the group policy to the browser after the tunnel is established. The settings return to their original state after the VPN session ends.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html#wp1069089

/Rasmus

Marcin Latosiewicz Tue, 06/22/2010 - 23:43

Rasumus,

I had lab setup for this once but frankly it's gone and gone :-)

Can you please doublecheck that your profile exists also in the places I specified (doc and settings ...) I'll check with people here to see if someone saw this behavior before.

Marcin

rate Wed, 06/23/2010 - 00:51

Yes, it does exist, and it looks fine.

BTW we are running ver. 8.2(2).

/Rasmus

Marcin Latosiewicz Wed, 06/23/2010 - 01:01

Wellllllll.

Can you share that file location and contents?

Maybe also gathering a DART bundle just after failed connect would not be bad :-)

Marcin

rate Wed, 06/23/2010 - 02:14

I can't use DART to generate anything, cause DART is not available before logon. And after logon there

is no problems, so DART will generate something useless.

I can share the contents of the profile if you want to (will have to hide some details though), but the proxy settings are made in the group policy on the ASA itself. Sure you need the profile data then?

/Rasmus

Marcin Latosiewicz Wed, 06/23/2010 - 09:06

Rasmus,

Generating DART after failed SBL login is OK at least I'm not aware of any shortcomings.

Well I want to understand what else your profile in Docs and setting\All users\Application Data\Cisco\Cisco Anyconnect VPN client has

Marcin

edit:

It's clear that AC is trying to authenticate to proxy, meaning that the proxy settings are not ignored.

Do you have system wide proxy settings or per-user?

rate Thu, 06/24/2010 - 00:08

This is the profile from all users:

<?xml version="1.0" encoding="UTF-8"?>
http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

  true
  true
  false
  Machine
  false
  IgnoreProxy
  false
  true
  false
  true
  true
  Automatic
  SingleLocalLogon
  LocalUsersOnly
  false
  Automatic
  
 
  false


 
   asa_firewall
   asa.anonymous.com
   asa_group
 

Marcin Latosiewicz Thu, 06/24/2010 - 01:39

Well I learned something.

in fact those two:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf20119

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg02656

Upgrade your AC to 2.5, if not already done. Please be aware that not everything is fixed in current image.

edit: fixed typos etc.

rate Thu, 06/24/2010 - 03:25

Again, thanks for your time.

I can't see the two links, cause the guy with our Cisco login is on vacation and I don't have access. Maybe you can copy/paste the text?

Anyway, I've tried now with ver. 2.5 (both AC and GINA) - still no luck

Correct Answer
Marcin Latosiewicz Thu, 06/24/2010 - 07:19

Rasmus,

Bad news ... I checked the "fixed-in" field in the bugs.

002.005(1002)  and 002.005(2000)

meaning - they will be fixed in new release.

Symptom:
The "IgnoreProxy" setting in the AnyConnect XML profile is not functioning when Start Before Login (SBL) is also enabled.

Conditions:
Problem first observed on AnyConnect 2.4.1012 when "IgnoreProxy" is set in the xml profile. Using Start Before Login feature (SBL). Using GPOs to set the proxy before login. Most noticable when the Proxy that is set is internal/private because the AnyConnect will not be able to reach the headend device to make the anyconnect connection due to the proxy being set. Confirmed the profile is active. The "IgnoreProxy" setting in the profile is working for a non-SBL connection.

Workaround:
1. This does work without SBL. For instance If you cancel SBL, logon to windows in the usual way and then start the Anyconnect client. If you then disconnect and reconnect the AnyConnect it does indeed ignore the configured proxy.
2. Disable GPO settings that push the proxy before login.
Note: If you are using GPO to launch scripts, be aware AnyConnect also now has a OnConnect scripting feature to launch scripts as well
rate Fri, 06/25/2010 - 00:01

Hi Marcin,

Not bad news at all. At least I now know that Cisco is aware of this, and that a fix is coming. We haven't gone live yet, so it's alright.

Thanks a bunch!

/Rasmus

Actions

This Discussion

Related Content