Cisco anyconnect management tunnel diagnosis
I need to diagnose traffic across Cisco’s Anyconnect Management Tunnel (mgmttun) VPN profile on Windows devices. Anyconnect mgmttun profile starts automatically as Windows boots up and the network interface opens, prior to a user logging on. This means Windows as a valid network interface open at user login. It also supports the use case of managing a remote user device when no user is logged on.
I followed some good advice from other network pros on www. I use Windows Task Scheduler to start dumpcap at Windows Startup, once a network interface is available. I specify the interface of the Cisco AC virtual NIC. That process seems to work ok and some logs are created.
The issue I need some help on is that I’d like to continue the capture as the user is logging in. When Cisco AC detects that the user VPN profile is starting AC terminates the mgmttun VPN so the user VPN can start. That means there’s a gap of 10 to 20 seconds between the mgmttun ending and the user VPN starting.
dumpcap terminates the capture as the mgmttun VPN ends, and I don’t have enough knowledge of Wireshark or dumpcap to know how to instantiate a capture to start capturing on the new user VPN interface.
Any help Or suggestions is greatly appreciated
Is the question how to run a script when the new connection comes up: Running Scripts after Connect and Disconnect or what to put in the script with
dumpcap?Ha yes, I should’ve said. That is what my question is about @Chuckc I’d love to see a sample script so I can get to understand the ins and outs better
The link to your Windows Startup script is missing. Can you use it as a starting point?
This is the xml file export from Windows Task Scheduler that is equivalent of what I was using on the device I’m interested in. The raw dumpcap command code is close to the end of the xml file
131415161718192021222324252627282930313233343536373839404142434445464748495051 </triggers> <principals> <principal id="Author"> <userid>S-1-5-18</userid> <runlevel>HighestAvailable</runlevel> </principal> </principals> <settings> <multipleinstancespolicy>Parallel</multipleinstancespolicy> <disallowstartifonbatteries>false</disallowstartifonbatteries> <stopifgoingonbatteries>true</stopifgoingonbatteries> <allowhardterminate>true</allowhardterminate> <startwhenavailable>false</startwhenavailable> <runonlyifnetworkavailable>true</runonlyifnetworkavailable> <idlesettings> <stoponidleend>true</stoponidleend> <restartonidle>false</restartonidle> </idlesettings> <allowstartondemand>true</allowstartondemand> <enabled>true</enabled> <hidden>true</hidden> <runonlyifidle>false</runonlyifidle> <disallowstartonremoteappsession>false</disallowstartonremoteappsession> <useunifiedschedulingengine>true</useunifiedschedulingengine> <waketorun>false</waketorun> <executiontimelimit>PT1H</executiontimelimit> <priority>7</priority> <restartonfailure> <interval>PT1M</interval> <count>3</count> </restartonfailure> </settings> <actions context="Author"> <exec> <command>"C:\Program Files\Wireshark\dumpcap.exe"</command> <arguments>-i 7 -b filesize:50000 -a files:10 -w c:\captures\ServerName-failover.pcap</arguments> </exec> </actions></task>
C:\Program Files\Wireshark\dumpcap.exe -i 7 -b filesize:50000 -a files:10 -w c:\captures\ServerName-failover.pcap
dumpcap - Dump network traffic
Maybe change the capture name used with
-wto differentiate service captures vs OnConnect captures.The
-ioption might be tricky. Is the user VPN interface always the same number?Try
dumpcap -Dwhile the VPN is up. Is the text name consistent? Could use that in your script.