06-22-2010 01:45 AM - edited 02-21-2020 04:42 PM
Hi,
I recently added the following line to our AnyConnect .xml profile:
<ProxySettings>IgnoreProxy</ProxySettings>
We use a proxy server internally in our network, so when the client computers were set up for this, they couldn't connect to our ASA with AnyConnect when they were off-site. The setting above in their profile fixed this, so even though proxy was enabled in their IE, they could connect with AnyConnect when roaming. So far so good.
Yesterday I added the following to our configuration:
group-policy TEST attributes
msie-proxy method use-server
msie-proxy server value ip.ip.ip.ip:port
msie-proxy local-bypass enable
This config was to make sure that the user's proxy is enabled when connected to VPN. According to Cisco doc the proxy settings on the client should automatically revert to the original settings when disconnecting. All this also works as intended.
But then here comes the funny thing (which isn't funny at all really):
When booting the client computer and starting the AnyConnect client before Windows logon (SBL), I get the attached prompt when trying to connect! This only happens with SBL - not when the user is logged in and then starts the VPN client. I have tried with various proxy user auth that I know are working, but I can't get through, and therefor can't connect before Windows logon. According to Cisco doc, the proxy settings should apply AFTER VPN logon - but it seems it tries to use them BEFORE the connection attempt when using SBL.
Does anyone know why this happens? And can anyone come up with a solution (besides disabling the proxy settings just made)?
Thanks in advance - much appreciated!
/Rasmus
Solved! Go to Solution.
06-24-2010 07:19 AM
Rasmus,
Bad news ... I checked the "fixed-in" field in the bugs.
002.005(1002) and 002.005(2000)
meaning - they will be fixed in new release.
Symptom:
The "IgnoreProxy" setting in the AnyConnect XML profile is not functioning when Start Before Login (SBL) is also enabled.
Conditions:
Problem first observed on AnyConnect 2.4.1012 when "IgnoreProxy" is set in the xml profile. Using Start Before Login feature (SBL). Using GPOs to set the proxy before login. Most noticable when the Proxy that is set is internal/private because the AnyConnect will not be able to reach the headend device to make the anyconnect connection due to the proxy being set. Confirmed the profile is active. The "IgnoreProxy" setting in the profile is working for a non-SBL connection.
Workaround:
1. This does work without SBL. For instance If you cancel SBL, logon to windows in the usual way and then start the Anyconnect client. If you then disconnect and reconnect the AnyConnect it does indeed ignore the configured proxy.
2. Disable GPO settings that push the proxy before login.
Note: If you are using GPO to launch scripts, be aware AnyConnect also now has a OnConnect scripting feature to launch scripts as well
06-22-2010 08:00 AM
Rasmus,
I will be first to admit I might not be the best person to advise on this - it's ages since I dealt with SBL but AFAIR, AC will ready profile setting from ... Local user or All users Documents and settings/Cisco/Anyconnect folder.
Also what are the defaults in proxy config on your IE?
Can you check that for me?
Marcin
edit. Fixed typos and directory.
06-22-2010 10:48 PM
Hi Marcin,
Thanks for your reply.
Default setting in IE is proxy enabled.
This is from Cisco's official doc on AnyConnect:
You can configure a group policy to download private proxy settings configured in the group policy to the browser after the tunnel is established. The settings return to their original state after the VPN session ends.
/Rasmus
06-22-2010 11:43 PM
Rasumus,
I had lab setup for this once but frankly it's gone and gone :-)
Can you please doublecheck that your profile exists also in the places I specified (doc and settings ...) I'll check with people here to see if someone saw this behavior before.
Marcin
06-23-2010 12:51 AM
Yes, it does exist, and it looks fine.
BTW we are running ver. 8.2(2).
/Rasmus
06-23-2010 01:01 AM
Wellllllll.
Can you share that file location and contents?
Maybe also gathering a DART bundle just after failed connect would not be bad :-)
Marcin
06-23-2010 02:14 AM
I can't use DART to generate anything, cause DART is not available before logon. And after logon there
is no problems, so DART will generate something useless.
I can share the contents of the profile if you want to (will have to hide some details though), but the proxy settings are made in the group policy on the ASA itself. Sure you need the profile data then?
/Rasmus
06-23-2010 09:06 AM
Rasmus,
Generating DART after failed SBL login is OK at least I'm not aware of any shortcomings.
Well I want to understand what else your profile in Docs and setting\All users\Application Data\Cisco\Cisco Anyconnect VPN client has
Marcin
edit:
It's clear that AC is trying to authenticate to proxy, meaning that the proxy settings are not ignored.
Do you have system wide proxy settings or per-user?
06-24-2010 12:08 AM
This is the profile from all users:
06-24-2010 01:39 AM
Well I learned something.
in fact those two:
Upgrade your AC to 2.5, if not already done. Please be aware that not everything is fixed in current image.
edit: fixed typos etc.
06-24-2010 03:25 AM
Again, thanks for your time.
I can't see the two links, cause the guy with our Cisco login is on vacation and I don't have access. Maybe you can copy/paste the text?
Anyway, I've tried now with ver. 2.5 (both AC and GINA) - still no luck
06-24-2010 07:19 AM
Rasmus,
Bad news ... I checked the "fixed-in" field in the bugs.
002.005(1002) and 002.005(2000)
meaning - they will be fixed in new release.
Symptom:
The "IgnoreProxy" setting in the AnyConnect XML profile is not functioning when Start Before Login (SBL) is also enabled.
Conditions:
Problem first observed on AnyConnect 2.4.1012 when "IgnoreProxy" is set in the xml profile. Using Start Before Login feature (SBL). Using GPOs to set the proxy before login. Most noticable when the Proxy that is set is internal/private because the AnyConnect will not be able to reach the headend device to make the anyconnect connection due to the proxy being set. Confirmed the profile is active. The "IgnoreProxy" setting in the profile is working for a non-SBL connection.
Workaround:
1. This does work without SBL. For instance If you cancel SBL, logon to windows in the usual way and then start the Anyconnect client. If you then disconnect and reconnect the AnyConnect it does indeed ignore the configured proxy.
2. Disable GPO settings that push the proxy before login.
Note: If you are using GPO to launch scripts, be aware AnyConnect also now has a OnConnect scripting feature to launch scripts as well
06-25-2010 12:01 AM
Hi Marcin,
Not bad news at all. At least I now know that Cisco is aware of this, and that a fix is coming. We haven't gone live yet, so it's alright.
Thanks a bunch!
/Rasmus
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: