AnyConnect 4.5 and Proxy PAC

santoroj
New Contributor II

We are currently using Cisco AnyConnect v4.5 to connect to our Cisco VPN. Prior to the connection we have internet access, once connected to the VPN the ASA is pushing a blank configuration wiping the proxy settings. We have already engaged Cisco and there is no fix from their end. Because AnyConnect is not listed as an adapter, we cannot set a proxy configuration to it. If anyone has come across something like this and has found a solution I would love to hear what you did. This is causing massive issues with deploying JAMF to our clients.

6 REPLIES 6

beejybone
New Contributor II

We are having the exact same issue. Did you ever find a solution?

santoroj
New Contributor II

Never got a solution other than a back and forth between Cisco and Apple. Both say it is the other ones issue.

bradtchapman
Valued Contributor II

AnyConnect 4.5 is a 32-bit app (or has mostly 32 bit components) and is not recommended anymore.

Even 4.6 and 4.7 use 32-bit hostscan binaries. 4.8 is all 64-bit.

Can you use the newer versions?

beejybone
New Contributor II

So, I figured it out. It's one of those if-you-use-this-specific-setup-it won't-work-kind of deals. When the user connects to VPN, web traffic should go to the PAC file URL defined in system preferences, but it does not. It appears that there is some kind of "PAC file cache" that gets refreshed when there is a change to a network adapter. Since AnyConnect does not use a network adapter, the refreshing doesn't take place. So what I have done is place a simple "OnConnect" shell script in the /opt/cisco/anyconnect/script folder that runs after the users connects. It bounces the network interfaces, which refreshes the PAC file info and everything works correctly.

ammonsc
Contributor II

@beejybone Can you share that script?

beejybone
New Contributor II

For this to work you have to follow AnyConnect's script rules. It has to be named OnConnect.sh (case-sensitive), has to be executable, and has to be in /opt/cisco/anyconnect/script. I believe you can also have the ASA distribute it, but I didn't have access to those boxes. There is also a 45 second delay to let the compliance module finish its process. If you don't use compliance module you could probably remove that line.

! /bin/sh -u

sleep 45
networksetup -listallnetworkservices | awk 'NR>1' | while read SERVICE ; do
if networksetup -getautoproxyurl "$SERVICE" | grep '^Enabled: Yes' >/dev/null; then
networksetup -setautoproxystate "$SERVICE" off
networksetup -setautoproxystate "$SERVICE" on
echo "$SERVICE" bounced.
fi
done