Solved

Unable to connect to Cisco Any Connect Client (VPN) after installation of Webroot DWP

Posted on 2011-03-12
9
6,070 Views
Last Modified: 2012-05-11
I have been happily using Cisco Any Connect VPN client with no problems.

I have just started to use the Webroot SAAS web filtering service which uses a local proxy client 'DWP', which also all works fine, except that now the VPN client no longer connects.

I get a password box.  I get the usual security alert because of unsigned certificate (to which you click yes) and then I get "Unable to establish VPN" error message followed by "The VNP client is unable to establish a connection".

Presumably a setting needs altering somewhere to allow the VPN client to talk to the firewall (Cisco ASA5500) but do I need to change a setting on the Webroot software or on the ASA device?

Thanks for your help
0
Comment
Question by:MPWOOD
  • 5
  • 4
9 Comments
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35117983
What version of the Cisco Any Connect Client are you using. From version 2.3 you can ignore Proxies.

To enable Ignore Proxy, insert the following line into the <ClientInitialization> section of the AnyConnect profile (anyfilename.xml):

<ProxySettings>IgnoreProxy</ProxySettings>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118043
Sorry its avalible from version 2.3.2016 onwards not just 2.3
0
 

Author Comment

by:MPWOOD
ID: 35118060
Hi terry, thanks for the reply.  I'm using 2.4.1012, so that's good news.

Please could you point me in the direction of the xml file that holds the profile?  It's not configurable through the client itself.
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118100
In Win7 its C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect VPN Client\

Windows XP will be C:\Documents and Settings\as above
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:MPWOOD
ID: 35120256
Hi Terry,

I modified the file but unfortunately it hasn't worked - here is the XML, does it look right to you?

i wasn't sure if the <clientinitialisation> section of the file was basically all of it so I have inserted the ignoreproxy into the body next to two other proxy lines.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>matthew</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint>9622E99DDE023EDF70EC6C7</ServerCertificateThumbprint>
<DefaultHost>223.246.117.200</DefaultHost>
<DefaultGroup>VPNGRPP</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<ProxySettings>IgnoreProxy</ProxySettings>
<SDITokenType></SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
</AnyConnectPreferences>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35120976
Sorry I have miss informed you on the file you need to modify. It is the global profile you need to change which is here.

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xsd

You should find the <clientinitialisation>  section in this file :-)
0
 

Author Comment

by:MPWOOD
ID: 35123723
Well I found that file - below is the extract from it re proxy which already has the parameters set to 'IgnoreProxy'. Wondering if it's not a VPN client problem but is a webroot configuration problem instead?  there isn't much about VPNs on their support pages though but perhaps I should go back to them on this?

 <xs:element name="ProxySettings" default="Native" minOccurs="0">
              <xs:annotation>
                <xs:documentation>This setting allows an administrator to control the user proxy settings.</xs:documentation>
              </xs:annotation>
              <xs:simpleType>
                <xs:restriction base="xs:string">
                  <xs:enumeration value="Native">
                    <xs:annotation>
                      <xs:documentation>Use browser settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="IgnoreProxy">
                    <xs:annotation>
                      <xs:documentation>Use no proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="Override">
                    <xs:annotation>
                      <xs:documentation>Use AnyConnect proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                </xs:restriction>
              </xs:simpleType>
            </xs:element>
0
 

Accepted Solution

by:
MPWOOD earned 0 total points
ID: 35127530
Hi Terry, well this did turn out to be a problem on the webroot side and controlled from there, they have indicated that a change in the configuration to allow the VPN client to bypass the proxy is what was required - I have made this change and it worked.  thanks anyway for your help and hopefully this PAQ will be of use to others in the future who come up against the same issue.
0
 

Author Closing Comment

by:MPWOOD
ID: 35170685
The problem did not lie in the VPN client itself, but in the Webroot proxy not allowing the VPN to bypass the proxy.  By changing a setting in the Webroot configuration in the DWP settings to allow the VPN to bypass the proxy (Accoutns > DWP Configuration, setting the IP address the the VPN connects to in the 'Browser Bypass' box) it all worked
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now