search cancel

Cisco AnyConnect VPN getting random disconnects when WSS agent on same host

book

Article ID: 216298

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS agent running on Windows platform to send internet bound traffic into WSS

Cisco AnyConnect VPN client running on same host

Cisco traffic bypassed from WSS per best practice

Users with active WSS agent frequently experience disconnects to Cisco VPN server

Environment

WSS agent

Cisco AnyCOnnect VPN client

Cause

Missing a Cisco VPN server IP address from the WSS bypass list which was temporarily being used by the vpnagent.exe component.

Resolution

Found a VPN server IP address that was not bypassed and manually added it to the list (can see all IP addresses user is accessing from the WSS Proxy access logs, and determine whether they are related to VPN client)

Or bypass all Cisco VPN client applications from WSS, including c:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe (problem application in this case)

Additional Information

Gathering Symdiag logs and rehydrating them, we found one TLS session that failed to complete successfully (Fatal TLS alert generated by client, with Certificate unknown description after receiving the WSS server certificate). We added this to the bypass list and all worked fine.

Make sure that you add all VPN server IP addresses to the WSS bypass list.