WSS Agent running on Windows platform to send internet bound traffic into Cloud SWG (Cloud Secure Web Gateway, formerly WSS).

Cisco AnyConnect VPN client running on same host.

Cisco traffic bypassed from Cloud SWG per best practice.

Users with active WSS Agent frequently experience disconnects to Cisco VPN server.

WSS Agent.

Cisco AnyConnect VPN client.

Missing a Cisco VPN server IP address from the Cloud SWG bypass list which was temporarily being used by the vpnagent.exe component.

Found a VPN server IP address that was not bypassed and manually added it to the list (can see all IP addresses user is accessing from the Cloud SWG access logs, and determine whether they are related to VPN client).

Another option is to bypass all Cisco VPN client applications from Cloud SWG, including C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (problem application in this case)

Gathering SymDiag logs and rehydrating them, we found one TLS session that failed to complete successfully (Fatal TLS alert generated by client, with Certificate unknown description after receiving the Cloud SWG server certificate). We added this to the bypass list and all worked fine.

Make sure that you add all VPN server IP addresses to the Cloud SWG bypass list.