I have been doing a lot of work with AnyConnect recently. I have been setting up DAP policies to lock down the environments and rolled it out cautiously. No one likes locking users out of VPNs, and after some tooing and frowing with Cisco over issues with Macs and BitDefender not being picked up (a bug case has been created for this).
This weekend was the final round of configurations, meaning that if anyone had not supplied me the necessary details, they’d be locked out.
Despite several emails asking for the required info, there were a small handful of users who either missed or filed away the emails, and so it comes as no surprise that one contacted me today with issues.
I had tried to be proactive and given that most of the requirements were corporate standards, thought that I had covered those who had not come back to me earlier. Still, one user could not connect.
Tried different VPNs. Same issue. HostScan was taking a phenomenally long amount of time. Worryingly, I could see nothing on the DAP logs (debug dap trace).
So, if DAP was failing, then I would be able to see something in the logs. It would show me the attempt, something to show a connection attempt. But there was nothing.
We uninstalled and reinstalled AnyConnect and HostScan.
Other people were connecting with no issues, and the user could use a different machine and log in immediately. It’s clearly an issue with the machine, not the user, or the DAP policies.
The DART program was run and the logs collected.
Amongst the masses of things that stood out were the number of certs that were tried during connection attempts. Most of these were proxied through Fiddler.
Although the user did not have Fiddler running, the number of certs was enough to prevent AnyConnect (and probably more specifically, HostScan) from working.
There are probably two issues at play here.
Firstly HostScan has a limit: https://www.tunnelsup.com/anyconnect-hostscan-results-exceed-default-limit/. Secondly,
Secondly, well.. Fiddler: https://mattlapaglia.com/cisco-anyconnect-hostscan-is-waiting-for-the-next-scan/.
So if your AnyConnect is taking a long time, please have a read of the two articles above and thanks to the authors for saving me a lot of time!