WSS agent running on Windows platform to send internet bound traffic into WSS
Cisco AnyConnect VPN client running on same host
Cisco traffic bypassed from WSS per best practice
Users with active WSS agent frequently experience disconnects to Cisco VPN server
Cisco AnyCOnnect VPN client
Missing a Cisco VPN server IP address from the WSS bypass list which was temporarily being used by the vpnagent.exe component.
Found a VPN server IP address that was not bypassed and manually added it to the list (can see all IP addresses user is accessing from the WSS Proxy access logs, and determine whether they are related to VPN client)
Or bypass all Cisco VPN client applications from WSS, including c:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (problem application in this case)
Gathering Symdiag logs and rehydrating them, we found one TLS session that failed to complete successfully (Fatal TLS alert generated by client, with Certificate unknown description after receiving the WSS server certificate). We added this to the bypass list and all worked fine.
Make sure that you add all VPN server IP addresses to the WSS bypass list.