search cancel

Cisco AnyConnect VPN getting random disconnects when WSS agent on same host


Article ID: 216298


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS agent running on Windows platform to send internet bound traffic into WSS

Cisco AnyConnect VPN client running on same host

Cisco traffic bypassed from WSS per best practice

Users with active WSS agent frequently experience disconnects to Cisco VPN server


WSS agent

Cisco AnyCOnnect VPN client


Missing a Cisco VPN server IP address from the WSS bypass list which was temporarily being used by the vpnagent.exe component.


Found a VPN server IP address that was not bypassed and manually added it to the list (can see all IP addresses user is accessing from the WSS Proxy access logs, and determine whether they are related to VPN client)

Or bypass all Cisco VPN client applications from WSS, including c:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (problem application in this case)

Additional Information

Gathering Symdiag logs and rehydrating them, we found one TLS session that failed to complete successfully (Fatal TLS alert generated by client, with Certificate unknown description after receiving the WSS server certificate). We added this to the bypass list and all worked fine.

Make sure that you add all VPN server IP addresses to the WSS bypass list.