Solved: AnyConnect Always-On VPN Open Failure Policy not working

jacob.fredriksson · ‎11-07-2017

Hi everyone!

I am trying to configure Anyconnect always-on VPN using double certificate authentication and authorization handled by ISE. I've got everything working the way I got it except for one thing - failure policy.

I want to use the Open option if the ASA is not available, which from what I understand the device will be allowed to access whatever network (and internet) it is currently connected to.

I've enabled Always On, Allow Disconnect and Failure Policy is set to Open, but if I take down the ASA my PC still can't access the internet in any way after the VPN connection fails. The "Help" button inside the Profile Editor says I can't enable Open failure policy without enabling Allow Disconnect, but depite this I cannot get it to work.

Currently using Anyconnect 4.4.00243.

Could it be that "Open" only works if you're already connect to the VPN and THEN it goes down? It can't help you if you never are able to connect to the ASA in the first place?

Any ideas?

jacob.fredriksson · ‎11-16-2017

I finally managed to achieve what I wanted to do.

By disabling Always-On in the VPN-profil and just sticking with Automatic VPN Policy is seems to work great now. If for some reason the automatic VPN cannot be established either due to ISE, AD, ASA being down or if not all certificates can be found on the computer, AnyConnect will now no longer lock down all network adapters.

View solution in original post

jacob.fredriksson · ‎11-08-2017

I've made some progress regarding all this mess.

It seems that AnyConnect is using some very weird logic to determine what is considered "VPN failed". I literally have to disconnect the outside interface of the ASA for AnyConnect to make the decision that the ASA is down and AnyConnect on the local machine is allowed to "fail open".

In my scenario is means that even if the VPN connection fails due to ISE or AD being down, AnyConnect will not allow the connection to "fail open" so that the user can access the internet they are currently connected to. They will be forever locked will no access to anything until the VPN is established or if I completely disconnect the ASA from the internet.

Even completely disabling Remote Access VPN on the ASA does NOT trigger the fail open case. I've been looking in Wireshark on the local machine and even with Remote Access VPN disabled in the ASA I can still see the ASA presenting itselfs with its identity certificate.

This all seems super odd to me... the "fail open" scenario should definitely be triggered if the VPN cannot be established, not only when the ASA is completely down.

Any AnyConnect experts out there who have a better idea of what is going on?

jacob.fredriksson · ‎11-16-2017

I finally managed to achieve what I wanted to do.

By disabling Always-On in the VPN-profil and just sticking with Automatic VPN Policy is seems to work great now. If for some reason the automatic VPN cannot be established either due to ISE, AD, ASA being down or if not all certificates can be found on the computer, AnyConnect will now no longer lock down all network adapters.

jerico99 · ‎05-18-2018

I think I figured out at least some of the logic that the client uses.

1.) If the client is on an untrusted network and manually disconnects (if allowed the option) the AnyConnect client, the client always fails closed.

2.) If the client is on a untrusted network and tries to connect the AnyConnect client but fails to do so after some attempts, the Client fails open.

3.) If you manually disconnect when on a trusted network, it will fail open.

The caveat I found, however, is that the subnets/ips configured to split tunnel outside the client seem to be 'unavailable' even when the connection fails open. I'm going from memory here so I might be off a bit.