cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
140462
Views
8
Helpful
11
Replies

Cisco AnyConnect VPN Client - manually create a profile

ikovacs.ro
Level 1
Level 1

Hi,

Is there anyway to manually setup a Cisco AnyConnect VPN Client profile ( I want to EnableScripting)?

I found section Configuring and Deploying the AnyConnect Client Profile, but I do not have access to the security appliance, ASDM or any other tools. I have only Cisco AnyConnect VPN Client installed and I can see the AnyConnectProfile.tmpl and .xsd files.

Thank you

11 Replies 11

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Istvan,

you can rename the .tmpl file to .xml and edit it to your liking.

Or, you can download the standalone profile editor (no ASDM required) and use that to create a profile:

look for anyconnect-profileeditor-win-3.0.4235-k9.exe at this page:

http://www.cisco.com/cisco/software/release.html?mdfid=283000185&softwareid=282364313&release=3.0.4235&rellifecycle=&relind=AVAILABLE&reltype=latest

hth

Herbert

ikovacs.ro
Level 1
Level 1

Thanks Herbert for you post.

I did try to rename AnyConnectProfile.tmpl to AnyConnectProfile.xml but to me it look like it was not taken in consideration. Is there something else that I should have done? Shouldn't this xml file be pointed somewhere?

Regarding the profile editor, I have created an account on the Cisco site but when I attempt to download I get:

"To Download this software, you must have a valid service contract associated to your Cisco.com user ID."

I'm sure the company at which I'm working has a contract with Cisco, but getting the details is just a nightmare of requests and aprovals, so I will not even try to do that.

Istvan,

the profile should be in the "profile" directory. This directory is created automatically when the client is installed, but location of this directory depends on wheter you use Anyconnect 2.x or 3.x, and on the OS (XP vs Vista/Win7).

E.g. for 3.x on Win7 it is:

C:\ProgramData\Cisco\Cisco Anyconnect Secure Mobility Client\profile

Also, you may have to restart the client after placing the profile there.

hth

Herbert

I noticed that indeed the profile file C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xml is used, by adding a new . So, your above answers are correct (and I will shortly mark this thread with 'Correct Answer').

I used the Sysinternal Process Monitor to monitor the files that are accesed by vpnui.exe when I start  Cisco AnyConnect VPN Client. Both AnyConnectProfile.xml and xsd are accessed, though I'm a bit puzzeled that I see also 2 CreateFile operations beside the ReadFile operations:

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"

"09:13:28,0175314","vpnui.exe","5276","CreateFile","C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xml","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"

Leaving that aside, I noticed that the C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script\OnConnect.bat file I have created (content: ipconfig >> d:\t.txt), is never accessed during the Cisco AnyConnect VPN Client startup.

In C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xml I have manually added true immediately after tag:

   

        true

       

            The Start Before Logon feature can be used to activate the VPN as...

Do you have any hints on that? Should I open a new thread?

Thank you again for your advices.

Hi Istvan,

I don't know why the client opens these files for writing.

As for the scripting:

- by default there already i an tag further down in the profile, set to false. Please be sure to remove it.

- check the event logs (using windows event viewer - application& services logs - cisco anyconnect; more specifically look for:

  • Event ID 3006: Launching script "%s".
  • Event ID 3007: Script "%s" exited with code %d.
  • Event ID 3008: Terminating script "%s".
  • Event ID 3009: Abandoning script "%s".
  • Additional debug messages from CScriptingMgr and CScriptThread

- if using 64bit windows, pay attention to this note in the config guide (I don't think this affects you since you only capp ipconfig from the script, but still):

"

Running Scripts on 64-bit Windows

The AnyConnect client is a 32-bit application. When running on a 64-bit  Windows version, such as Windows 7 x64 and Windows Vista SP2 x64, when  it executes a batch script, it uses the 32-bit version of cmd.exe.

Because the 32-bit cmd.exe lacks some commands that the 64-bit cmd.exe  supports, some scripts could stop executing when attempting to run an  unsupported command, or run partially and stop. For example, the msg  command, supported by the 64-bit cmd.exe, may not be understood by the  32-bit version of Windows 7 (found in %WINDIR%\SysWOW64).

Therefore, when you create a script, use commands supported by the 32-bit cmd.exe.

"

- make sure there is only one OnConnect script - if there are multiple, only one gets executed.

If all this does not help, then yes I would suggest you create a new thread for that.

cheers

Herbert

And one more tip: make sure that the script runs fine when you just run it yourself from a CMD prompt.

I have only one tag in AnyConnectProfile.xml. I checked in AnyConnectProfile.tmpl and have no tag.

I have only one OnConnect* file, and it can be run from command line:

c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script>dir

Volume in drive C is System

Volume Serial Number is 120B-4155

Directory of c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script

10.11.2011  21:18   

          .

10.11.2011  21:18   

          ..

10.11.2011  21:19                20 OnConnect.bat

               1 File(s)             20 bytes

               2 Dir(s)  61.664.940.032 bytes free

c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script>d:

D:\>dir *.txt

Volume in drive D is Data

Volume Serial Number is 48AB-C5E2

Directory of D:\

File Not Found

D:\>"c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script\OnConnect.bat"

D:\>ipconfig  1>>d:\t.txt

D:\>dir *.txt

Volume in drive D is Data

Volume Serial Number is 48AB-C5E2

Directory of D:\

17.11.2011  12:56               848 t.txt

               1 File(s)            848 bytes

               0 Dir(s)  177.910.259.712 bytes free

I checked in Event Viewer, in Cisco AnyConnect VPN Client section and can't find any event with ID between 3006 and 3009.

However I can see some errors like:

Function: fileExists

File: .\Utility\sysutils.cpp

Line: 500

Invoked Function: _tstat

Return Code: 2 (0x00000002)

Description: The system cannot find the file specified.

File: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\InitialFirewallConfig.wfw

Error: No such file or directory

But the VPN works just fine. Have no issue with it.

More related to the current topic is this warning:

Function: ProfileMgr::getProfileNameFromHost

File: .\ProfileMgr.cpp

Line: 711

No profile available for host FQDN.

What is raising some questions in my mind is the fact that in the from AnyConnectProfile.xml (and the 'Connect To' field value from the UI) is different from the FQDN mentioned in the above warning.

Can this be the cause why the script is not executed?

Istvan,

yes that is probably the reason - if the HostEntry does not match, the profile does not get applied (well to be precise, some elements may get applied like SBL).

However, I'm a bit confused about what you see where.

Normally, if you have this in your profile:

  myASA

asa.mycompany.com

Then in the GUI you should see "myASA" in the dropdown list. When you select that entry, the client will connect to the HostAddress specified in the profile (asa.mycompany.com in this example) and so the profile will automatically match.

So I'm not sure how this is behaving differently in your case?

Herbert

The (lets call it FQDN_A) from the profile file is displayed on the UI, though in the warning from Event Viewer I see a different FQDN host name (FQDN_B) than what is specified in (and UI) (FQDN_A). I presume this is because there is "load balancing gateway" (FQDN_A) (if this term exist) that will balance the incoming requests based on the current usage.

I tried adding a new for the server name specified in the earlier mentioned warning (FQDN_B), and then the warning went away but still did not get the script run.

Now the "load balancing gateway" (FQDN_A) sends my requests to a differnt server (FQDN_C), so the warning is back. Bottom line is that I do not know between how many VPN servers the requests are load balanced, so I cannot enter a for each of them.

How can a profile be used in such a situation?

Hi Istvan

well normally the profile is made by the ASA admin, who knows all the names of the cluster members

Then you would get something like this:

        
            My ASA
            FQDN
                        
                             FQDN_A
                             FQDN_B
                             FQDN_C
                       
        

hth

Herbert

Hi Herbert,

I hope you had a greate weekend.

I tested your new sugestion and here is what I see:

- a c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\myaccess1.xml is getting generated (

"myaccess" is the hostname from FQDN_A);

- in Even Viewer the followings can be seen:

Function: ProfileMgr::getProfileNameFromHost

File: .\ProfileMgr.cpp

Line: 711

No profile available for host FQDN_B.

and

Function: ProfileMgr::loadProfile

File: ..\Api\ProfileMgr.cpp

Line: 449

Invoked Function: ProfileMgr::loadProfile

Return Code: -33554423 (0xFE000009)

Description: GLOBAL_ERROR_UNEXPECTED

Duplicate host found in the profile <>. Host discarded.

BR,

Isti

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: