Cisco anyconnect management tunnel diagnosis

asked 2020-09-12 16:22:32 +0000

I need to diagnose traffic across Cisco’s Anyconnect Management Tunnel (mgmttun) VPN profile on Windows devices. Anyconnect mgmttun profile starts automatically as Windows boots up and the network interface opens, prior to a user logging on. This means Windows as a valid network interface open at user login. It also supports the use case of managing a remote user device when no user is logged on.

I followed some good advice from other network pros on www. I use Windows Task Scheduler to start dumpcap at Windows Startup, once a network interface is available. I specify the interface of the Cisco AC virtual NIC. That process seems to work ok and some logs are created.

The issue I need some help on is that I’d like to continue the capture as the user is logging in. When Cisco AC detects that the user VPN profile is starting AC terminates the mgmttun VPN so the user VPN can start. That means there’s a gap of 10 to 20 seconds between the mgmttun ending and the user VPN starting.

dumpcap terminates the capture as the mgmttun VPN ends, and I don’t have enough knowledge of Wireshark or dumpcap to know how to instantiate a capture to start capturing on the new user VPN interface.

Any help Or suggestions is greatly appreciated

edit retag flag offensive close merge delete


Is the question how to run a script when the new connection comes up: Running Scripts after Connect and Disconnect or what to put in the script with dumpcap?

Chuckc gravatar imageChuckc ( 2020-09-12 16:38:18 +0000 )edit

Ha yes, I should’ve said. That is what my question is about @Chuckc I’d love to see a sample script so I can get to understand the ins and outs better gravatar ( 2020-09-12 18:39:25 +0000 )edit

The link to your Windows Startup script is missing. Can you use it as a starting point?

Chuckc gravatar imageChuckc ( 2020-09-12 19:03:34 +0000 )edit

This is the xml file export from Windows Task Scheduler that is equivalent of what I was using on the device I’m interested in. The raw dumpcap command code is close to the end of the xml file

Run Wireshark Dumpcap at Windows boot.xml

131415161718192021222324252627282930313233343536373839404142434445464748495051 </triggers> <principals> <principal id="Author"> <userid>S-1-5-18</userid> <runlevel>HighestAvailable</runlevel> </principal> </principals> <settings> <multipleinstancespolicy>Parallel</multipleinstancespolicy> <disallowstartifonbatteries>false</disallowstartifonbatteries> <stopifgoingonbatteries>true</stopifgoingonbatteries> <allowhardterminate>true</allowhardterminate> <startwhenavailable>false</startwhenavailable> <runonlyifnetworkavailable>true</runonlyifnetworkavailable> <idlesettings> <stoponidleend>true</stoponidleend> <restartonidle>false</restartonidle> </idlesettings> <allowstartondemand>true</allowstartondemand> <enabled>true</enabled> <hidden>true</hidden> <runonlyifidle>false</runonlyifidle> <disallowstartonremoteappsession>false</disallowstartonremoteappsession> <useunifiedschedulingengine>true</useunifiedschedulingengine> <waketorun>false</waketorun> <executiontimelimit>PT1H</executiontimelimit> <priority>7</priority> <restartonfailure> <interval>PT1M</interval> <count>3</count> </restartonfailure> </settings> <actions context="Author"> <exec> <command>"C:\Program Files\Wireshark\dumpcap.exe"</command> <arguments>-i 7 -b filesize:50000 -a files:10 -w c:\captures\ServerName-failover.pcap</arguments> </exec> </actions></task> gravatar ( 2020-09-12 21:42:23 +0000 )edit

C:\Program Files\Wireshark\dumpcap.exe -i 7 -b filesize:50000 -a files:10 -w c:\captures\ServerName-failover.pcap

dumpcap - Dump network traffic

Maybe change the capture name used with -w to differentiate service captures vs OnConnect captures.
The -i option might be tricky. Is the user VPN interface always the same number?
Try dumpcap -D while the VPN is up. Is the text name consistent? Could use that in your script.

Network interface names should match one of the names listed in "dumpcap -D" (described above); a number, as reported by "dumpcap -D", can also be used.
Chuckc gravatar imageChuckc ( 2020-09-12 22:19:55 +0000 )edit