Cisco AnyConnect VPN Management Tunnel Details
On Monday April 29, 2024, all existing Microsoft Windows 10 and Windows 11 Engineering Base Desktop (EBD) systems will be migrating from DirectAccess to the AnyConnect VPN Management Tunnel.
This AnyConnect VPN Management Tunnel ensures connectivity to the corporate network whenever the client is powered up, and not just when a VPN connection is established by the end-user (this includes the primary VPN tunnels as well as any special profiles that they may use). For this tunnel to be created without user interaction certificate-based authentication is used.
This management tunnel allows administrators to have management access to AnyConnect devices without user intervention. This facilitates things like patch management, upgrades, communication with active directory domain controllers, on-campus MiStorage, allows computers to process group policy on start up, and automatically enables Desktop and Document folder redirection on all remote EBD systems.
This change is being implemented now due to the ITS hosted DirectAccess service being discontinued in the near future.
Implementation Details
As part of the implementation of the AnyConnect VPN Management Tunnel, a few things will be configured differently after the migration.
As part of this change, the Cisco AnyConnect client will no longer launch as part of the login process. The client does not need to be running for the AnyConnect VPN Management Tunnel to be active. If the user decides to manually launch the Cisco Anyconnect client from the Start Menu, the AnyConnect VPN Management Tunnel will be temporarily disconnected because the client will attempt to automatically connect to a profile that requires user authentication to function.
There are also portions of user specific Cisco AnyConnect client preferences that may interfere with the functionality of the AnyConnect VPN Management Tunnel. To ensure the tunnel is functional, user preferences will be reconfigured as part of the rollout and any changes end-users make may not persist.
What if I want to connect using a different VPN profile?
If users want to connect using another VPN profile, they should launch the Cisco AnyConnect VPN client from the Start Menu. As soon as you start the process of using a user authenticated VPN profile, the AnyConnect VPN Management Tunnel will be disconnected.
Because of this, users may notice their redirected Desktop and Documents are temporarily unavailable during the user authentication process, but will soon return once the tunnel is fully established.
When the user disconnects from a user authenticated VPN profile, it triggers the automatic re-establishment of the management tunnel.
When should I use a profile other than the management tunnel?
The biggest use case for using a user authenticated Cisco AnyConnect VPN profile is if you have certain resources that are configured to block traffic from the default tunnel. This is a very specific use case that most likely does not apply to the vast majority of end-users, though some IT administrators may still find it useful.
How do I verify a Management Tunnel connection?
To view the status of the management tunnel click the gear icon in the AnyConnect window:
When on an untrusted network you will see the AnyConnect VPN Management Tunnel connected:
When on a campus network you should see the following:
Common Reasons for Disconnection from the AnyConnect VPN Management Tunnel
The system is not connected to the Internet
A system must first connect to the Internet before the Cisco VPN Management Tunnel can be established. Connect to a wifi or wired network and the Cisco VPN Management Tunnel will connect.
The system is on a campus network
The Cisco Anyconnect Client can detect when a system is connected to a campus network. It will not connect to the AnyConnect VPN Management Tunnel from a campus network as it is not needed.
Another VPN is connected
If you are connected to a VPN with the Cisco AnyConnect Client the AnyConnect VPN Management Tunnel is disconnected until your VPN connection is terminated.
VPN connection in-progress
When you first open the Cisco AnyConnect Client it will initiate a connection, opening a window to authenticate. When a connection is in progress like this, the AnyConnect VPN Management Tunnel will be disconnected. You need to either authenticate and complete the VPN connection to use a VPN, or you need to close the login window to revert back to the Management Tunnel:
Waking from sleep or hibernation
If a VPN was connected when the computer went to sleep or hibernated it may try, and fail, to reconnect upon waking up. In this state the Management Tunnel will be disconnected. Either cancel the connection attempt to reconnect to the Management Tunnel, or complete the authentication process to connect to the VPN.
How can I get help if something goes wrong?
Please contact your local IT Manager with any questions, issues, or concerns you may encounter, or feel free to contact CAEN and we will be happy to assist.