Solved

Unable to connect to Cisco Any Connect Client (VPN) after installation of Webroot DWP

Posted on 2011-03-12
9
6,697 Views
Last Modified: 2012-05-11
I have been happily using Cisco Any Connect VPN client with no problems.

I have just started to use the Webroot SAAS web filtering service which uses a local proxy client 'DWP', which also all works fine, except that now the VPN client no longer connects.

I get a password box.  I get the usual security alert because of unsigned certificate (to which you click yes) and then I get "Unable to establish VPN" error message followed by "The VNP client is unable to establish a connection".

Presumably a setting needs altering somewhere to allow the VPN client to talk to the firewall (Cisco ASA5500) but do I need to change a setting on the Webroot software or on the ASA device?

Thanks for your help
0
Comment
Question by:MPWOOD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35117983
What version of the Cisco Any Connect Client are you using. From version 2.3 you can ignore Proxies.

To enable Ignore Proxy, insert the following line into the <ClientInitialization> section of the AnyConnect profile (anyfilename.xml):

<ProxySettings>IgnoreProxy</ProxySettings>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118043
Sorry its avalible from version 2.3.2016 onwards not just 2.3
0
 

Author Comment

by:MPWOOD
ID: 35118060
Hi terry, thanks for the reply.  I'm using 2.4.1012, so that's good news.

Please could you point me in the direction of the xml file that holds the profile?  It's not configurable through the client itself.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118100
In Win7 its C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect VPN Client\

Windows XP will be C:\Documents and Settings\as above
0
 

Author Comment

by:MPWOOD
ID: 35120256
Hi Terry,

I modified the file but unfortunately it hasn't worked - here is the XML, does it look right to you?

i wasn't sure if the <clientinitialisation> section of the file was basically all of it so I have inserted the ignoreproxy into the body next to two other proxy lines.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>matthew</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint>9622E99DDE023EDF70EC6C7</ServerCertificateThumbprint>
<DefaultHost>223.246.117.200</DefaultHost>
<DefaultGroup>VPNGRPP</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<ProxySettings>IgnoreProxy</ProxySettings>
<SDITokenType></SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
</AnyConnectPreferences>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35120976
Sorry I have miss informed you on the file you need to modify. It is the global profile you need to change which is here.

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xsd

You should find the <clientinitialisation>  section in this file :-)
0
 

Author Comment

by:MPWOOD
ID: 35123723
Well I found that file - below is the extract from it re proxy which already has the parameters set to 'IgnoreProxy'. Wondering if it's not a VPN client problem but is a webroot configuration problem instead?  there isn't much about VPNs on their support pages though but perhaps I should go back to them on this?

 <xs:element name="ProxySettings" default="Native" minOccurs="0">
              <xs:annotation>
                <xs:documentation>This setting allows an administrator to control the user proxy settings.</xs:documentation>
              </xs:annotation>
              <xs:simpleType>
                <xs:restriction base="xs:string">
                  <xs:enumeration value="Native">
                    <xs:annotation>
                      <xs:documentation>Use browser settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="IgnoreProxy">
                    <xs:annotation>
                      <xs:documentation>Use no proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="Override">
                    <xs:annotation>
                      <xs:documentation>Use AnyConnect proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                </xs:restriction>
              </xs:simpleType>
            </xs:element>
0
 

Accepted Solution

by:
MPWOOD earned 0 total points
ID: 35127530
Hi Terry, well this did turn out to be a problem on the webroot side and controlled from there, they have indicated that a change in the configuration to allow the VPN client to bypass the proxy is what was required - I have made this change and it worked.  thanks anyway for your help and hopefully this PAQ will be of use to others in the future who come up against the same issue.
0
 

Author Closing Comment

by:MPWOOD
ID: 35170685
The problem did not lie in the VPN client itself, but in the Webroot proxy not allowing the VPN to bypass the proxy.  By changing a setting in the Webroot configuration in the DWP settings to allow the VPN to bypass the proxy (Accoutns > DWP Configuration, setting the IP address the the VPN connects to in the 'Browser Bypass' box) it all worked
0

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month11 days, 18 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question