Cisco AnyConnect Management Tunnel

Environment

MiWorkspace / Windows Platform-as-a-Service

Windows 10 / Windows 11

Issue

The Cisco management tunnel has replaced the functionality of DirectAccess on MiWorkspace/PaaS Windows computers. Like DirectAccess, the Cisco management tunnel is used when the computer is away from campus, but is turned off when the computer is on campus. The Cisco management tunnel starts automatically when the computer starts and no user interaction is required for it to connect. The Cisco management tunnel provides access to campus services such as mapped drives, restricted University websites, and remote access to on campus servers. 

On occasion, there may be a problem with the Cisco management tunnel connection that requires troubleshooting.

Resolution

Below are some tips on how to evaluate the status and re-establish the management tunnel connection. These steps will require admin access.

  1. Make sure the Cisco service is running. 
    1. The service called “Cisco AnyConnect Secure Mobility Agent” (vpnagent is the short name) is set to run automatically at Startup. If this service is not running, there will be no Cisco Management tunnel connection.
    2. Run the Services.msc application and find the service. Each service has a “Status” reported - if the status is “Running” then move to the next step. If anything else, get it running again by either restarting or starting it up.
    3. You can also evaluate if the service is running by looking at Task Manager in the Details pane. You should find the vpnagent.exe process and see a status there of “Running.”
  2. Make sure the Cisco UI application is not running.
    1. This app is used when connecting to other VPN profiles such as the ITS Special Developer VPN or Michigan Medicine resources using the UMHS SSL VPN.
    2. In Task Manager, this process is named vpnui.exe.
    3. If running, evaluate if the application is being used to connect to one of these other profiles by opening it. If the app says “ready to connect” then it’s not being used for one of the VPN profiles. If the application says “connected to” and lists a profile then it is actively being used and the session needs to be ended. Click Disconnect to end that session.
    4. The best way to exit this application (vpnui.exe) is from the system tray. Right click on the Cisco icon in the System tray and select Quit. This should end the process, but if not, end the process with Task Manager.
  3. Evaluate the Status of the Cisco Connection - screen shot example in this KB
    1. Open a command prompt 
    2. Enter cd "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\"
    3. Run this command: vpncli.exe stats
    4. Do not be fooled by the two lines at the top which say, “state: Disconnected” because this does not mean the management tunnel is disconnected.
    5. Under the [ Connection Information ] find the text that says “Management Connection State” - that is the key line that indicates the status.
      • If it says “Connected” and lists a dns name then it’s working - you’re done
      • If it says “Disconnected” - something is wrong - see more steps below
      • If it says “Connecting” - wait a few seconds and try again - it’s starting up
  4. Restart the Cisco Service
    1. Go to Task Manager, select the Services icon on the left pane and look for the vpnagent service, right click on it and select Restart or Start
    2. Give the computer one to two minutes to restart the service and reconnect to the management tunnel
    3. Go back to Step 3 to evaluate the status and if “Connected” ensure that functionality is restored.
    4. Typically after the service is restarted the management tunnel should automatically connect within 30-120 seconds, but occasionally it can take five minutes.
    5. If after five minutes the connection is still not restored, reboot the computer and check the management tunnel status at least 1-2 minutes after login.
  5. Windows Explorer Process Hangs
    1. If the management tunnel takes a long time to re-connect, Windows Explorer may hang because it’s trying to reconnect to mapped storage drives.
    2. It’s not recommended to kill the Windows Explorer process except in extreme cases because it will take away your Taskbar and could cause other side effects. 
    3. The best approach is to get the management tunnel restored per the instructions above and then Explorer will eventually catch up.
    4. If explorer continues to be a problem, a workaround is to open a command prompt (not as admin) and run the following command to remove all drive mappings: net use /d *
    5. Once Windows Explorer returns to normal function and the management tunnel is connected, drive mappings can be restored by using the Helper App’s “Reconnect Network Drives” function or using the gpupdate /force command.

Additional Information

The Helper App now reports the Cisco AnyConnect Management Tunnel status. See below:

Image showing how to check for Cisco Management Tunnel Status

Pop-up showing the Cisco Management Tunnel Status

Need additional information or assistance? Contact the ITS Service Center.

Details

Article ID: 9926
Created
Mon 3/27/23 11:09 AM
Modified
Mon 10/2/23 12:49 PM