How To Clear Cisco Anyconnect Cache

1. Home
2. Networking
3. Cisco

I have an issue with the Cisco AnyConnect Secure Mobility Client, I mean, other than the name of the product is a full friggin sentence.We have many connection profiles and multiple ASAs that can be connected to, which for the common user isn't an issue as it remembers the last connection and only prompts for their password.

Our consultants on the other hand will jump from one to another regularly and though the client has a drop down hinting it remembers previous connections, only the last connection is listed.  They then call me when they are using the wrong one or have forgotten the proper address.  Of course there are nopreferences to speak of, just start automatically and the norms.  I'm digging through the registry now, but haven't found much.

Has anyone done this dance?  I'm not getting much from web searches here, so I thought I'd turn to the trusty Spiceworks Community!  Thanks!

---

I do not think the file exists by default. I found my file and scrubbed it. Take a look at the bottom of it. "<HostName>" does not mean an actual host name but the name that is displayed to the user. I can be a hostname or something generic like main office vpn. The Host address I supplied below has a port number at the end. The reason I ended up having to create this file in the first place was because I run the vpn on a non-standard port and it would never remember the port without this file. I believe there is a place in the ASDM to upload an anyconnect client profile so save this file with an XML extension and upload it there.

                        <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding AnyConnectProfile.xsd"> 	<ClientInitialization> 		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon> 		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection> 		<ShowPreConnectMessage>false</ShowPreConnectMessage> 		<CertificateStore>All</CertificateStore> 		<CertificateStoreOverride>false</CertificateStoreOverride> 		<ProxySettings>Native</ProxySettings> 		<AllowLocalProxyConnections>false</AllowLocalProxyConnections> 		<AuthenticationTimeout>12</AuthenticationTimeout> 		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart> 		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> 		<LocalLanAccess UserControllable="true">true</LocalLanAccess> 		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin> 		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> 		<AutoReconnect UserControllable="false">true 			<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior> 		</AutoReconnect> 		<AutoUpdate UserControllable="false">true</AutoUpdate> 		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> 		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> 		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> 		<AutomaticVPNPolicy>false</AutomaticVPNPolicy> 		<PPPExclusion UserControllable="false">Automatic 			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> 		</PPPExclusion> 		<EnableScripting UserControllable="false">false</EnableScripting> 		<EnableAutomaticServerSelection UserControllable="true">false 			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> 			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> 		</EnableAutomaticServerSelection> 		<RetainVpnOnLogoff>false 		</RetainVpnOnLogoff> 	</ClientInitialization> 	<ServerList> 		<HostEntry> 			<HostName>REMOTE-VPN</HostName> 			<HostAddress>vpn.mycompany.com:8443</HostAddress> 		</HostEntry> 	</ServerList> </AnyConnectProfile>                      

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

22 Replies

Have you installed the Cisco Anyconnect profile editor on your computer? Under the "Server List" it looks like you could specify a list of the possible servers to connect to and give them each a different name.

I have not, thanks for the suggestion.  My network engineer normally handles anything that starts with Cisco :-)

I'll give it a try and see how it goes!

The application will let your create an XML configuration file that you can then upload to the ASA through the ASDM interface and then setup your policies to use that config file. It allows you to make a bunch of customizations that you would not be able to make just using the ASDM.

I am unable to download the profile editor. Is there a file that can be edited using a text editor to add the server list? If so, which file?

I do not think the file exists by default. I found my file and scrubbed it. Take a look at the bottom of it. "<HostName>" does not mean an actual host name but the name that is displayed to the user. I can be a hostname or something generic like main office vpn. The Host address I supplied below has a port number at the end. The reason I ended up having to create this file in the first place was because I run the vpn on a non-standard port and it would never remember the port without this file. I believe there is a place in the ASDM to upload an anyconnect client profile so save this file with an XML extension and upload it there.

                            <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding AnyConnectProfile.xsd"> 	<ClientInitialization> 		<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon> 		<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection> 		<ShowPreConnectMessage>false</ShowPreConnectMessage> 		<CertificateStore>All</CertificateStore> 		<CertificateStoreOverride>false</CertificateStoreOverride> 		<ProxySettings>Native</ProxySettings> 		<AllowLocalProxyConnections>false</AllowLocalProxyConnections> 		<AuthenticationTimeout>12</AuthenticationTimeout> 		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart> 		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect> 		<LocalLanAccess UserControllable="true">true</LocalLanAccess> 		<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin> 		<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> 		<AutoReconnect UserControllable="false">true 			<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior> 		</AutoReconnect> 		<AutoUpdate UserControllable="false">true</AutoUpdate> 		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> 		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> 		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> 		<AutomaticVPNPolicy>false</AutomaticVPNPolicy> 		<PPPExclusion UserControllable="false">Automatic 			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> 		</PPPExclusion> 		<EnableScripting UserControllable="false">false</EnableScripting> 		<EnableAutomaticServerSelection UserControllable="true">false 			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> 			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> 		</EnableAutomaticServerSelection> 		<RetainVpnOnLogoff>false 		</RetainVpnOnLogoff> 	</ClientInitialization> 	<ServerList> 		<HostEntry> 			<HostName>REMOTE-VPN</HostName> 			<HostAddress>vpn.mycompany.com:8443</HostAddress> 		</HostEntry> 	</ServerList> </AnyConnectProfile>                          

@Keegan

You never said if you got this working. If you did please let us know. (and choose a best answer :-) )

You need to have it turned on, then you go to http://<IPofASA&gt; or https:...

You can enable it with:

http server enable
http <YOUR IP SUBNET> 255.255.255.0 inside

See the attached screenshot

I am not an admin for the VPN server so I do not have access to that console. Can the file be placed in the file system and used or does it have to be done from the server?

The files are placed on the local computer. I have no idea how it knows which one to open. You will have to do that research. I would recommend opening a new thread as this is going pretty far away from the OPs question.

You could have a look at this page and it might give you some direction: http://brandonjcarroll.com/blog/anyconnect-3-0-client-profiles

OK, so now let's assume that you are not connecting to the same ASA or even the same company every time.  The IPSec client allows me to build a list of connections.  Anyconnect seems to be limited to one connection and it changes the default arbitrarily.  While I understand controlling the connections at the firewall, how do you add connection addresses to the client without building a web page of links for all of the connections (over 30) that I need to remember.  The profile editor is swell for a single company that has a master ASA, but how about for a service provider that has to connect to many networks.  Any ideas?

Hi all, just wanted to share how I sorted this.

1. go toC:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

2. create profile.xml file there

3. contents of the file must be as shown below (remove any empty rows you may get from copy paste). You can add as many 'host nodes' to this as you like.

                            <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding">   <ServerList>     <HostEntry>       <HostName>VPN1</HostName>       <HostAddress>VPN1 ADDRESS</HostAddress>     </HostEntry>     <HostEntry>       <HostName>VPN2</HostName>       <HostAddress>VPN2 ADDRESS</HostAddress>     </HostEntry>   </ServerList> </AnyConnectProfile>                          

Edited Sep 18, 2014 at 23:03 UTC

I was struggling with multiple anyconnect profiles as well.

It would always show me only the last VPN profile, and never did it 'remember' multiple profiles.

What I did was to make sure I get a list of all the available AnyConnect VPN Connections for my customers:

1. Start AnyConnect Client

2. Configure the VPN profile, validate the VPN connection, Disconnect it and close AnyConnect Client.

3. Open Windows Explorer and navigate to the %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

4. The file Anyconnect_General_Users.xml is visible in that folder and contains any VPN details for that specific customer connection.

5. In the serverlist branch, add an entry for each different customer / different VPN profile

<HostEntry>

<Hostname>Customer VPN 1</Hostname>

<HostAddress>CustomerHostAddress1.com</HostAddress>

<Hostname>Customer VPN 2</Hostname>

<HostAddress>CustomerHostAddress2.com</HostAddress>

</HostEntry>

7. IMPORTANT: You will only see the drop-down list if you FIRST end the 'VPNUI.EXE' process in Task Manager (it stays active even after closing the Cisco AnyConnect window)

8. Restart Cisco AnyConnect. You'll now see the drop-down list with all your customer connections.

Now the only remaining wish is to also store and show the Username depending on the VPN connection chosen.

This worked perfectly for me on my XP Pro VM.

Just added this file to:C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

Thanks Again.

@ dylandowns: thanks! That works fine - but is there a possibility to add default user names for each host entry?

Perfect Thanks for the great post.

Also you can add the username by using the <UserGroupTag> as below.

<ServerList>
       <HostEntry>
            <HostName>Google</HostName>
            <HostAddress>3p01.google.com</HostAddress>
            <UserGroup>Userkin12</UserGroup>
       </HostEntry>

       <HostEntry>
          <HostName>Western Australia</HostName>
          <HostAddress>STR.ASL.wa.gov.au</HostAddress>
          <UserGroup>vpnuser</UserGroup>
       </HostEntry>
 </ServerList>

I do not have a profile folder.  Is this created when you attached to an ASDM that has profiles built?

Hi there,

No need to edit anything in XML file. Just go to ASDM, AnyConnect Client Profile and edit the profile you are using. Server List is what you want.

Host Display Name: the name you want to appear in drop-down menu

FQDN... : the public IP or URL of your ASA. User Group is an alias if you have different Connection profiles.

Save.

You have to connect once with your current setup to download the new connection profile XML file or just delete it from:

Windows10
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

That should do it :)

tosostasouris,

You are making the assumption all the connections that need to be managed are on the same ASA.  If you are trying to save 40 connections to 40 different ASA's (i.e. 40 different customer sites), the thought of using ASDM would mean you would have to setup a bogus firewall to manage your VPN connections.

This topic has been locked by an administrator and is no longer open for commenting.

To continue this discussion, please ask a new question.

How To Clear Cisco Anyconnect Cache

Source: https://community.spiceworks.com/topic/331402-anyconnect-client-doesn-t-remember-previous-connections

Posted by: kellarbesillently.blogspot.com

Share this post