11-11-2011 03:22 AM - edited 02-21-2020 05:42 PM
Hi,
Is there anyway to manually setup a Cisco AnyConnect VPN Client profile ( I want to EnableScripting)?
I found section Configuring and Deploying the AnyConnect Client Profile, but I do not have access to the security appliance, ASDM or any other tools. I have only Cisco AnyConnect VPN Client installed and I can see the AnyConnectProfile.tmpl and .xsd files.
Thank you
11-15-2011 01:29 PM
Hi Istvan,
you can rename the .tmpl file to .xml and edit it to your liking.
Or, you can download the standalone profile editor (no ASDM required) and use that to create a profile:
look for anyconnect-profileeditor-win-3.0.4235-k9.exe at this page:
hth
Herbert
11-15-2011 01:50 PM
Thanks Herbert for you post.
I did try to rename AnyConnectProfile.tmpl to AnyConnectProfile.xml but to me it look like it was not taken in consideration. Is there something else that I should have done? Shouldn't this xml file be pointed somewhere?
Regarding the profile editor, I have created an account on the Cisco site but when I attempt to download I get:
"To Download this software, you must have a valid service contract associated to your Cisco.com user ID."
I'm sure the company at which I'm working has a contract with Cisco, but getting the details is just a nightmare of requests and aprovals, so I will not even try to do that.
11-15-2011 03:08 PM
Istvan,
the profile should be in the "profile" directory. This directory is created automatically when the client is installed, but location of this directory depends on wheter you use Anyconnect 2.x or 3.x, and on the OS (XP vs Vista/Win7).
E.g. for 3.x on Win7 it is:
C:\ProgramData\Cisco\Cisco Anyconnect Secure Mobility Client\profile
Also, you may have to restart the client after placing the profile there.
hth
Herbert
11-17-2011 12:32 AM
I noticed that indeed the profile file C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xml is used, by adding a new
I used the Sysinternal Process Monitor to monitor the files that are accesed by vpnui.exe when I start Cisco AnyConnect VPN Client. Both AnyConnectProfile.xml and xsd are accessed, though I'm a bit puzzeled that I see also 2 CreateFile operations beside the ReadFile operations:
"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"09:13:28,0175314","vpnui.exe","5276","CreateFile","C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xml","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Read Attributes, Disposition: Open, Options: Non-Directory File, Complete If Oplocked, Attributes: N, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
Leaving that aside, I noticed that the C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script\OnConnect.bat file I have created (content: ipconfig >> d:\t.txt), is never accessed during the Cisco AnyConnect VPN Client startup.
In C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xml I have manually added
The Start Before Logon feature can be used to activate the VPN as...
Do you have any hints on that? Should I open a new thread?
Thank you again for your advices.
11-17-2011 01:56 AM
Hi Istvan,
I don't know why the client opens these files for writing.
As for the scripting:
- by default there already i an
- check the event logs (using windows event viewer - application& services logs - cisco anyconnect; more specifically look for:
- if using 64bit windows, pay attention to this note in the config guide (I don't think this affects you since you only capp ipconfig from the script, but still):
"
Running Scripts on 64-bit Windows
The AnyConnect client is a 32-bit application. When running on a 64-bit Windows version, such as Windows 7 x64 and Windows Vista SP2 x64, when it executes a batch script, it uses the 32-bit version of cmd.exe.
Because the 32-bit cmd.exe lacks some commands that the 64-bit cmd.exe supports, some scripts could stop executing when attempting to run an unsupported command, or run partially and stop. For example, the msg command, supported by the 64-bit cmd.exe, may not be understood by the 32-bit version of Windows 7 (found in %WINDIR%\SysWOW64).
Therefore, when you create a script, use commands supported by the 32-bit cmd.exe.
"
- make sure there is only one OnConnect script - if there are multiple, only one gets executed.
If all this does not help, then yes I would suggest you create a new thread for that.
cheers
Herbert
11-17-2011 02:00 AM
And one more tip: make sure that the script runs fine when you just run it yourself from a CMD prompt.
11-17-2011 03:19 AM
I have only one
I have only one OnConnect* file, and it can be run from command line:
c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script>dir
Volume in drive C is System
Volume Serial Number is 120B-4155
Directory of c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script
10.11.2011 21:18
10.11.2011 21:18
10.11.2011 21:19 20 OnConnect.bat
1 File(s) 20 bytes
2 Dir(s) 61.664.940.032 bytes free
c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script>d:
D:\>dir *.txt
Volume in drive D is Data
Volume Serial Number is 48AB-C5E2
Directory of D:\
File Not Found
D:\>"c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Script\OnConnect.bat"
D:\>ipconfig 1>>d:\t.txt
D:\>dir *.txt
Volume in drive D is Data
Volume Serial Number is 48AB-C5E2
Directory of D:\
17.11.2011 12:56 848 t.txt
1 File(s) 848 bytes
0 Dir(s) 177.910.259.712 bytes free
I checked in Event Viewer, in Cisco AnyConnect VPN Client section and can't find any event with ID between 3006 and 3009.
However I can see some errors like:
Function: fileExists
File: .\Utility\sysutils.cpp
Line: 500
Invoked Function: _tstat
Return Code: 2 (0x00000002)
Description: The system cannot find the file specified.
File: C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\InitialFirewallConfig.wfw
Error: No such file or directory
But the VPN works just fine. Have no issue with it.
More related to the current topic is this warning:
Function: ProfileMgr::getProfileNameFromHost
File: .\ProfileMgr.cpp
Line: 711
No profile available for host FQDN.
What is raising some questions in my mind is the fact that in the
Can this be the cause why the script is not executed?
11-17-2011 03:37 AM
Istvan,
yes that is probably the reason - if the HostEntry does not match, the profile does not get applied (well to be precise, some elements may get applied like SBL).
However, I'm a bit confused about what you see where.
Normally, if you have this in your profile:
Then in the GUI you should see "myASA" in the dropdown list. When you select that entry, the client will connect to the HostAddress specified in the profile (asa.mycompany.com in this example) and so the profile will automatically match.
So I'm not sure how this is behaving differently in your case?
Herbert
11-17-2011 04:50 AM
The
I tried adding a new
Now the "load balancing gateway" (FQDN_A) sends my requests to a differnt server (FQDN_C), so the warning is back. Bottom line is that I do not know between how many VPN servers the requests are load balanced, so I cannot enter a
How can a profile be used in such a situation?
11-20-2011 03:27 AM
Hi Istvan
well normally the profile is made by the ASA admin, who knows all the names of the cluster members
Then you would get something like this:
My ASA FQDN FQDN_A FQDN_B FQDN_C
hth
Herbert
11-21-2011 07:11 AM
Hi Herbert,
I hope you had a greate weekend.
I tested your new sugestion and here is what I see:
- a c:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\myaccess1.xml is getting generated (
"myaccess" is the hostname from FQDN_A);
- in Even Viewer the followings can be seen:
Function: ProfileMgr::getProfileNameFromHost
File: .\ProfileMgr.cpp
Line: 711
No profile available for host FQDN_B.
and
Function: ProfileMgr::loadProfile
File: ..\Api\ProfileMgr.cpp
Line: 449
Invoked Function: ProfileMgr::loadProfile
Return Code: -33554423 (0xFE000009)
Description: GLOBAL_ERROR_UNEXPECTED
Duplicate host
BR,
Isti
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: