Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect Scripting - OnConnect script

Hi all,

I'd like to ask you if you would know any hint what I'm missing or was not able to get from docs.
I'm trying to enable OnConnect script which would run gpupdate once VPN connection is successfully established.

From configuration point of view it should be quite easy, but...

My requirements is to have script locally distributed by our packaging system, basically I don't want to have script locally stored on the ASA so anyone who would connect will download it from ASA VPN. Actually this kind of distribution seems to be working fine (so far what I've tried).

I got problems when script is distributed to clients by our client management system (SCCM).

I have defined AnyConnect profile (.xml) - defined by VPN profile editor,  update with below and also actual script (testing one, just Hello World which is executable from CLI):
- that should be enough to order anyconnect to run a script OnConnect if available (OnConnect_myscript.vbs)
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
Contains:
<EnableScripting UserControllable="false">true
    <TerminateScriptOnNextEvent>false</TerminateScriptOnNextEvent>
    <EnablePostSBLOnConnectScript>false</EnablePostSBLOnConnectScript>
</EnableScripting>

We have our VPN served by ASA5540 running version 8.4(4)1
I know that there might be some delay so I added into script delay for 5s.

Is there anything specific what I've missed and needs to be allowed on the ASA VPN device? Any kind of configuration etc..?

What I've also seen is, that when I'm connecting to VPN with anyconnect then on client event viewer I might see some really strange behaviour.
There is EventID 3010, which shows what profile and values have been loaded by AnyConnect, where at the beginning I might see it load correct profile (C:\ProgramData\Cisco...\Profile\profile.xml), but after a while I can see that such profile was loaded again, but with DEFAULT values --> scripting disabled, which I do believe is a problem that such script is not executed.

Chronological order (just summary of important events):
Source - acvpnagent
1)EventID-3001 9:01:21    Loading preferences for the current user from profile C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\eursslvpn.xml
2)EventID-3010 9:01:21     Current Preference settings (they are taken from .xml loaded file and they match)
Source - acvpnui + acvpndownloader
3)EventID1       9:01:56    Loaded profiles: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\eursslvpn.xml
4)EventID3010 9:01:56    Current preference settings     --> they are default, do NOT match what is defined in loaded profile .xml

Do you know what are those Source processes: acvpnagent, acvpnui, acvpndownloader   and what are differences between them or they actual impact on process of anyconnect VPN establishment?

Thank you in advance for any hint.

Everyone's tags (4)
3900
Views
0
Helpful
0
Replies