Re: From Dart - the Cient is notified of a Captive Portal, but they ar

anthony pharo · ‎09-27-2023

An end-user is having issues using Cisco Any connect.

Internet accessed blocked when trying to connect my laptop to the WiFi

From Dart

Date : 09/26/2023

Time : 13:16:10

Type : Information

Source : acvpnagent

Description : Function: CNetEnvironment::TestNetEnv

File: c:\temp\build\thehoff\phoenix_mr70.316886046509\phoenix_mr7\vpn\agent\netenvironment.cpp

Line: 473

Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.

******************************************

Date : 09/26/2023

Time : 13:16:20

Type : Information

Source : acvpnagent

Description : Function: CSocketTransport::callbackHandler

File: c:\temp\build\thehoff\phoenix_mr70.316886046509\phoenix_mr7\vpn\common\ipc\sockettransport.cpp

Line: 2169

Invoked Function: ::WSARecv

Return Code: 10058 (0x0000274A)

Description: A request to send or receive data was disallowed because the socket had already been shut down in that direction with a previous shutdown call.

Zero bytes transferred

Date : 09/26/2023

Time : 13:16:20

Type : Error

Source : acvpnagent

Description : Function: CHttpSessionAsync::OnTransportInitiateComplete

File: c:\temp\build\thehoff\phoenix_mr70.316886046509\phoenix_mr7\vpn\common\ip\httpsessionasync.cpp

Line: 1431

Invoked Function: ISocketTransportCB::OnTransportInitiateComplete

Return Code: -31588336 (0xFE1E0010)

Description: SOCKETTRANSPORT_ERROR_TRANSPORT_SHUTDOWN:The socket was shutdown by the operating system or a remote peer.

anthony pharo · ‎09-27-2023

Removed

tlr · ‎10-05-2023

We're having a similar problem and for us it appears to be related to WebView2 version 117.0.2045.xx that is used for the integrated AnyConnect browser to handle captive portals. Earlier WebView2 has worked fine.
We've updated to the latest WebView2 117.0.2045.55 and it go a bit better in that the AnyConnect WebBrowser is still only showing a blank window but after a while a new Edge-window is opened where we can reach the Captive portal. Earlier versions on 117.0 rarely opened an external browser.

This seems to be a WebView-issue becuse if we downgrade our Edge and Webview to earlier versions it works again. But we've also noticed other applications that uses WebView that do work with the version 117.0 so not completely sure.

I'm hoping for a fix from Microsoft on this soon but haven't found any known bugs so not sure if anyone is working on it.
We've update some clients to Anyconnect 4.10.07073 but no improvment on this issue.

Is there anyone else with this problem?

tlr · ‎10-06-2023

Cisco Bug ID: CSCwh75976

Tobias Moritz · ‎10-16-2023

I'm a customer working with Cisco on this issue from the beginning on (before this bug was created) and can update you:

Cisco developers already fixed this issue in a newer AnyConnect / Secure Client build and are currently testing it. Test on our customer side was already successfull.
No release planning or release date yet
There is a workaround, you may want to roll out for your users:
- Download CAB-File of WebView2-Runtime Extended Stable Channel (116.x) https://developer.microsoft.com/de-de/microsoft-edge/webview2/#download-section
- Extract somewhere on the client (e.g. C:\Program Files\WebView2_116)
- Set a GPO to force AnyConnect/SecureClient (only this application) to not use the normal evergreen WebView2 Runtime installed on the client, but the old one you put on it:
  - Path: HKLM\SOFTWARE\Policies\Microsoft\Edge\WebView2\BrowserExecutableFolder
  - Name: acwebhelper.exe
  - Type: REG_SZ
  - Value: Path, where the CAB-Datei was extracted
- This setting is part of MSEdgeWebView2.admx -> Administrative Templates/Microsoft Edge WebView2/Loader Override Settings -> BrowserExecutableFolder
- As usual, you can also set this GPO on HKCU level instead of HKLM if you want to test manually on a client, where you don't have admin priviledges

tlr · ‎10-18-2023

Thanks alot for that info. Our Windows-guys have tested this and it seems to work. They are now planning if and how they should do these changes on all clients.
We opened a TAC-case on this to see if we could get any more details but only got a very cryptical response back from TAC that the "workaround was to use the embedded browser, Ie AnyConnect inbuilt browser".

The info in this thread has helped us to come closer to a proper workaround. Ideally this would be fixed by a newer release of Webview but maybe the problem really is in AnyConnect and therfore need an update from Cisco.

Tobias Moritz · ‎10-18-2023

Thank you

Newer WebView2 version will not fix this. Cisco has to adapt to the API changes and as I wrote, they already did.

The fixed development build of Cisco SecureClient I tested successfully works with WebView2 Stable Channel versions 117 (tested with 117.0.2045.55) and version 118 (tested with 118.0.2088.46) and also with WebView2 Canary Channel version 119 (tested with 119.0.2143.0) and version 120 (tested with 120.0.2160.0).

TCAM · ‎11-07-2023

Hi Tobias - I am testing Cisco Secure Client version 5.0.05040 but WebView2 issue is still no fixed. Just curious, what was the version you tested working> Thanks

Tobias Moritz · ‎11-27-2023

Hi TCAM,

it was an internal development build (internal number does not help you) of something that looks like it will result in 5.0 MR6 when finished. You tested 5.0.05040 and that is 5.0 MR5 and definitly does not contain the fix.

"The fixed release ETA is late November – Early December", so lets see if it comes out in the next weeks.

TCAM · ‎12-14-2023

Thanks for the reply Tobias Moritz.

Will Cisco Secure Client 5.1.0.136 (released on 10.27.23) contain the fix? Is this the 5.0 MR6 release? Where did you find the MR5 or MR6 information? Thanks

Tobias Moritz · ‎12-14-2023

5.1.0.136 does not contain the fix. The first 5.1 version with the fix is 5.1.1.42, as i mentioned. Not tested yet, because not available, but based on the release notes I linked.

The first 5.0 version with the fix is not yet available but will most certain be 5.0.06xxx, while my bet is on 5.0.06032.

MR-numbers are maintenance release numbers and in case of AnyConnect or Secure Client, that is the forth digit from the right in AnyConnect 4.x and SecureClient 5.0 versions. In SecureClient 5.1 the slightly changed the number sheme, but you still recognize it. So

5.0.05040 is 5.0 MR5
5.0.04032 is 5.0 MR4
5.1.0.136 is 5.1 vanilla
5.1.1.42 is 5.1 MR1

Regarding the difference between 5.0 and 5.1? Just read the release notes. The new/changed features are listed there.

tlr · ‎10-19-2023

Ahh. Good to know. Then I will start to prepare to roll out a new AnyConnect-client when it's released.

/tobias

Tobias Moritz · ‎12-14-2023

While CSCwh75976 was not yet updated, the release notes of SC 5.1 lists this bug as fixed for the fresh release 5.1.1.42 since yesterday. Unfortunatly, its not yet available for public download, but I would expect it today or tomorrow, as usually the offset between CCO download availablity and release notes update is very short.

I also expect a fixed 5.0 version very soon. Maybe it will be called 5.0.06032, lets see.

I think they will also offer a fixed AnyConnect 4.10 version, because it gets maintenance until March 31, 2024.

TCAM · ‎12-14-2023

Hi Tobias - Just curious, what are the differences between SC 5.0 vs SC 5.1 ? Thanks

stsargen · ‎12-14-2023

5.1.1.42 is now posted to CCO. I don't think we have any plans to make another 5.0.x.x release. Future fixes will come in the 5.1.1.x release train.

From Dart - the Cient is notified of a Captive Portal, but they are un