Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Unable to connect to Cisco Any Connect Client (VPN) after installation of Webroot DWP

Posted on 2011-03-12
9
Medium Priority
?
6,928 Views
Last Modified: 2012-05-11
I have been happily using Cisco Any Connect VPN client with no problems.

I have just started to use the Webroot SAAS web filtering service which uses a local proxy client 'DWP', which also all works fine, except that now the VPN client no longer connects.

I get a password box.  I get the usual security alert because of unsigned certificate (to which you click yes) and then I get "Unable to establish VPN" error message followed by "The VNP client is unable to establish a connection".

Presumably a setting needs altering somewhere to allow the VPN client to talk to the firewall (Cisco ASA5500) but do I need to change a setting on the Webroot software or on the ASA device?

Thanks for your help
0
Comment
Question by:MPWOOD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35117983
What version of the Cisco Any Connect Client are you using. From version 2.3 you can ignore Proxies.

To enable Ignore Proxy, insert the following line into the <ClientInitialization> section of the AnyConnect profile (anyfilename.xml):

<ProxySettings>IgnoreProxy</ProxySettings>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118043
Sorry its avalible from version 2.3.2016 onwards not just 2.3
0
 

Author Comment

by:MPWOOD
ID: 35118060
Hi terry, thanks for the reply.  I'm using 2.4.1012, so that's good news.

Please could you point me in the direction of the xml file that holds the profile?  It's not configurable through the client itself.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 5

Expert Comment

by:terrygreensill
ID: 35118100
In Win7 its C:\Users\username\AppData\Local\Cisco\Cisco AnyConnect VPN Client\

Windows XP will be C:\Documents and Settings\as above
0
 

Author Comment

by:MPWOOD
ID: 35120256
Hi Terry,

I modified the file but unfortunately it hasn't worked - here is the XML, does it look right to you?

i wasn't sure if the <clientinitialisation> section of the file was basically all of it so I have inserted the ignoreproxy into the body next to two other proxy lines.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>matthew</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint>9622E99DDE023EDF70EC6C7</ServerCertificateThumbprint>
<DefaultHost>223.246.117.200</DefaultHost>
<DefaultGroup>VPNGRPP</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<ProxySettings>IgnoreProxy</ProxySettings>
<SDITokenType></SDITokenType>
<ControllablePreferences>
<LocalLanAccess>true</LocalLanAccess></ControllablePreferences>
</AnyConnectPreferences>
0
 
LVL 5

Expert Comment

by:terrygreensill
ID: 35120976
Sorry I have miss informed you on the file you need to modify. It is the global profile you need to change which is here.

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.xsd

You should find the <clientinitialisation>  section in this file :-)
0
 

Author Comment

by:MPWOOD
ID: 35123723
Well I found that file - below is the extract from it re proxy which already has the parameters set to 'IgnoreProxy'. Wondering if it's not a VPN client problem but is a webroot configuration problem instead?  there isn't much about VPNs on their support pages though but perhaps I should go back to them on this?

 <xs:element name="ProxySettings" default="Native" minOccurs="0">
              <xs:annotation>
                <xs:documentation>This setting allows an administrator to control the user proxy settings.</xs:documentation>
              </xs:annotation>
              <xs:simpleType>
                <xs:restriction base="xs:string">
                  <xs:enumeration value="Native">
                    <xs:annotation>
                      <xs:documentation>Use browser settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="IgnoreProxy">
                    <xs:annotation>
                      <xs:documentation>Use no proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                  <xs:enumeration value="Override">
                    <xs:annotation>
                      <xs:documentation>Use AnyConnect proxy settings.</xs:documentation>
                    </xs:annotation>
                  </xs:enumeration>
                </xs:restriction>
              </xs:simpleType>
            </xs:element>
0
 

Accepted Solution

by:
MPWOOD earned 0 total points
ID: 35127530
Hi Terry, well this did turn out to be a problem on the webroot side and controlled from there, they have indicated that a change in the configuration to allow the VPN client to bypass the proxy is what was required - I have made this change and it worked.  thanks anyway for your help and hopefully this PAQ will be of use to others in the future who come up against the same issue.
0
 

Author Closing Comment

by:MPWOOD
ID: 35170685
The problem did not lie in the VPN client itself, but in the Webroot proxy not allowing the VPN to bypass the proxy.  By changing a setting in the Webroot configuration in the DWP settings to allow the VPN to bypass the proxy (Accoutns > DWP Configuration, setting the IP address the the VPN connects to in the 'Browser Bypass' box) it all worked
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question