Solved

Unable to connect to Cisco Any Connect Client (VPN) after installation of Webroot DWP

Posted on 2011-03-12
9
6,455 Views
Last Modified: 2012-05-11
I have been happily using Cisco Any Connect VPN client with no problems.

I have just started to use the Webroot SAAS web filtering service which uses a local proxy client 'DWP', which also all works fine, except that now the VPN client no longer connects.

I get a password box.  I get the usual security alert because of unsigned certificate (to which you click yes) and then I get "Unable to establish VPN" error message followed by "The VNP client is unable to establish a connection".

Presumably a setting needs altering somewhere to allow the VPN client to talk to the firewall (Cisco ASA5500) but do I need to change a setting on the Webroot software or on the ASA device?

Thanks for your help
0
Comment
Question by:MPWOOD
  • 5
  • 4
9 Comments
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35117983
What version of the Cisco Any Connect Client are you using. From version 2.3 you can ignore Proxies.

To enable Ignore Proxy, insert the following line into the <ClientInitialization> section of the AnyConnect profile (anyfilename.xml):

<ProxySettings>IgnoreProxy</ProxySettings>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118043
Sorry its avalible from version 2.3.2016 onwards not just 2.3
0
 

Author Comment

by:MPWOOD
ID: 35118060
Hi terry, thanks for the reply.  I'm using 2.4.1012, so that's good news.

Please could you point me in the direction of the xml file that holds the profile?  It's not configurable through the client itself.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118100
In Win7 its C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect VPN Client\

Windows XP will be C:\Documents and Settings\as above
0
 

Author Comment

by:MPWOOD
ID: 35120256
Hi Terry,

I modified the file but unfortunately it hasn't worked - here is the XML, does it look right to you?

i wasn't sure if the <clientinitialisation> section of the file was basically all of it so I have inserted the ignoreproxy into the body next to two other proxy lines.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>matthew</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint>9622E99DDE023EDF70EC6C7</ServerCertificateThumbprint>
<DefaultHost>223.246.117.200</DefaultHost>
<DefaultGroup>VPNGRPP</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<ProxySettings>IgnoreProxy</ProxySettings>
<SDITokenType></SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
</AnyConnectPreferences>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35120976
Sorry I have miss informed you on the file you need to modify. It is the global profile you need to change which is here.

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xsd

You should find the <clientinitialisation>  section in this file :-)
0
 

Author Comment

by:MPWOOD
ID: 35123723
Well I found that file - below is the extract from it re proxy which already has the parameters set to 'IgnoreProxy'. Wondering if it's not a VPN client problem but is a webroot configuration problem instead?  there isn't much about VPNs on their support pages though but perhaps I should go back to them on this?

 <xs:element name="ProxySettings" default="Native" minOccurs="0">
              <xs:annotation>
                <xs:documentation>This setting allows an administrator to control the user proxy settings.</xs:documentation>
              </xs:annotation>
              <xs:simpleType>
                <xs:restriction base="xs:string">
                  <xs:enumeration value="Native">
                    <xs:annotation>
                      <xs:documentation>Use browser settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="IgnoreProxy">
                    <xs:annotation>
                      <xs:documentation>Use no proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="Override">
                    <xs:annotation>
                      <xs:documentation>Use AnyConnect proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                </xs:restriction>
              </xs:simpleType>
            </xs:element>
0
 

Accepted Solution

by:
MPWOOD earned 0 total points
ID: 35127530
Hi Terry, well this did turn out to be a problem on the webroot side and controlled from there, they have indicated that a change in the configuration to allow the VPN client to bypass the proxy is what was required - I have made this change and it worked.  thanks anyway for your help and hopefully this PAQ will be of use to others in the future who come up against the same issue.
0
 

Author Closing Comment

by:MPWOOD
ID: 35170685
The problem did not lie in the VPN client itself, but in the Webroot proxy not allowing the VPN to bypass the proxy.  By changing a setting in the Webroot configuration in the DWP settings to allow the VPN to bypass the proxy (Accoutns > DWP Configuration, setting the IP address the the VPN connects to in the 'Browser Bypass' box) it all worked
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question