This is a migrated thread and some comments may be shown as answers.

Fiddler blocking Cisco AnyConnect VPN connection

6 Answers 448 Views
Windows
This is a migrated thread and some comments may be shown as answers.
Ron
Top achievements
Rank 1
Ron asked on 11 May 2018, 08:45 PM

I had a user experience this issue. Fiddler was blocking Cisco AnyConnect VPN from running. When the user launched the Cisco AnyConnect client, the error showed as follows:

"The VPN connection is not allowed via a local proxy. This can be changed through AnyConnect profile settings."

The issue was Fiddler being set up to act as a system proxy on startup. To remedy this issue, open Fiddler, go into Tools > Options > Connections tab and uncheck 'Act as system proxy on startup' > click OK > exit and restart Fiddler. You should now be able to connect to Cisco AnyConnect.

If you had Fiddler installed and uninstalled it but still get this error, reinstall Fiddler and follow the instructions above. Once you confirm that you can reconnect to Cisco AnyConnect VPN, uninstall it.

 

6 Answers, 1 is accepted

Sort by
0
Alexander
Telerik team
answered on 14 May 2018, 03:54 PM
Hi,

This does not seem to be Fiddler-related issue, but rather AnyConnect's prohibition of usage of local proxy. If Fiddler is turned off there should not be any problem. Also, if Fiddler is uninstalled, it cannot cause the problem anymore, no need for reinstallation and unchecking the setting.

Regards,
Alexander
Progress Telerik
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
0
greg
Top achievements
Rank 1
answered on 08 Nov 2018, 01:52 AM

I can confirm that AnyConnect does have issues once you enable https decryption with install interception certificates.  It doesn't always happen but when it does I immediately open fiddler, disable https and remove interception certificates and it works fine.  I suspect that Cisco posturing mode fails when it loads the required x509 certs.  

To be clear; I may have had interception certificates installed from a day or two ago. I immediately startup Cisco AnyConnect on bootup and Fiddler is not running.  Once I fix my certs, I connect fine and I can immediately reinstall those interception certs and I'm good the rest of the day.

Is there a way I can conditionally exclude certain certs from interception?

 

0
greg
Top achievements
Rank 1
answered on 08 Nov 2018, 02:01 AM

Here is the logs from AnyConnect; it'll keep failing and either report failure or over and ask for my credentials again.  I'm not sure what certificate it's attempting to use yet.

 

11/7/2018
     7:00:43 PM    Ready to connect.
     7:00:44 PM    Automatically selected server: ****REDACTED****
     7:00:44 PM    Contacting ***REDACTED******.
     7:00:45 PM    No valid certificates available for authentication.
     7:00:46 PM    Posture Assessment: Required for access
     7:00:46 PM    Posture Assessment: Checking for updates...
     7:00:46 PM    Posture Assessment: Initiating...
     7:00:49 PM    Posture Assessment: Active
     7:00:49 PM    Posture Assessment: Initiating...
     7:04:19 PM    User credentials entered.
     7:04:19 PM    Hostscan is performing system scan
     7:04:20 PM    Hostscan is performing software scan
     7:04:26 PM    Hostscan state idle
     7:04:27 PM    Hostscan is waiting for the next scan
     7:05:27 PM    Hostscan is performing system scan
     7:05:28 PM    Hostscan is performing software scan
     7:05:34 PM    Hostscan state idle
     7:05:35 PM    Hostscan is waiting for the next scan
     7:06:35 PM    Hostscan is performing system scan
     7:06:36 PM    Hostscan is performing software scan
     7:06:42 PM    Hostscan state idle
     7:06:43 PM    Hostscan is waiting for the next scan
     7:07:44 PM    Hostscan is performing system scan
     7:07:44 PM    Hostscan is performing software scan
     7:07:51 PM    Hostscan state idle
     7:07:52 PM    Hostscan is waiting for the next scan
     7:08:52 PM    Hostscan is performing system scan
     7:08:53 PM    Hostscan is performing software scan
     7:08:59 PM    Hostscan state idle
     7:09:00 PM    Hostscan is waiting for the next scan
     7:10:00 PM    Hostscan is performing system scan
     7:10:01 PM    Hostscan is performing software scan
     7:10:07 PM    Hostscan state idle
     7:10:08 PM    Hostscan is waiting for the next scan
     7:11:09 PM    Hostscan is performing system scan
     7:11:09 PM    Hostscan is performing software scan
     7:11:15 PM    Hostscan state idle
     7:11:16 PM    Hostscan mission complete
     7:26:38 PM    Ready to connect.

0
greg
Top achievements
Rank 1
answered on 08 Nov 2018, 02:04 AM

Here is the logs from vpn; it'll keep failing and either report failure or over and ask for my credentials again.  I'm not sure what certificate it's attempting to use yet.

 

11/7/2018<br>
     7:00:43 PM    Ready to connect.<br>
     7:00:44 PM    Automatically selected server: ****REDACTED****<br>
     7:00:44 PM    Contacting ***REDACTED******.<br>
     7:00:45 PM    No valid certificates available for authentication.<br>
     7:00:46 PM    Posture Assessment: Required for access<br>
     7:00:46 PM    Posture Assessment: Checking for updates...<br>
     7:00:46 PM    Posture Assessment: Initiating...<br>
     7:00:49 PM    Posture Assessment: Active<br>
     7:00:49 PM    Posture Assessment: Initiating...<br>
     7:04:19 PM    User credentials entered.<br>
     7:04:19 PM    Hostscan is performing system scan<br>
     7:04:20 PM    Hostscan is performing software scan<br>
     7:04:26 PM    Hostscan state idle<br>
     7:04:27 PM    Hostscan is waiting for the next scan<br>
     7:05:27 PM    Hostscan is performing system scan<br>
      7:07:51 PM    Hostscan state idle<br>
      7:11:16 PM    Hostscan mission complete<br>
     7:26:38 PM    Ready to connect.
0
Jenny
Top achievements
Rank 1
answered on 07 Dec 2020, 10:55 AM

It mostly depends on the VPN you use. Do you use any paid or free ones? It's better to use paid, official ones as ExpressVPN, NordVPN, VeePN or any other. Cause as far as I see, you're using a free one that's why it comes with limited functionality and hence blocking Cisco. 

If you're not sure which vpn to choose read reviews here https://en.vpnwelt.com/ or from any other trustful resource.

0
Nick Iliev
Telerik team
answered on 07 Dec 2020, 11:06 AM

Hello everyone,

 

As a side note, the order of execution of FIddler (or Fiddler Everywhere) alongside Cisco AnyConnect could also have an impact on the proper proxy configuration. For example, check this workflow that is applicable for Fiddler Everywhere.

 

Regards,
Nick Iliev
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
Windows
Asked by
Ron
Top achievements
Rank 1
Answers by
Alexander
Telerik team
greg
Top achievements
Rank 1
Jenny
Top achievements
Rank 1
Nick Iliev
Telerik team
Share this question
or