This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco AnyConnect, Stale IP Entries, Driving Up License Count

mhammond
Champion Sweeper

‎12-17-2021 07:44 PM

Hopefully the title/sub-title says it all.

To elaborate:
We utilize 2 VPN software suites in our company, both FortiNET Forticlient and Cisco AnyConnect. AnyConnect users' assets are generating IPs upon connection (as do Forticlient users' assets). But the difference is, while DNS/DHCP records of the Forticlient assets recycle the asset ID and match it appropriately, AnyConnect assets continue to generate separate asset IDs, thereby driving up license counts.

Additionally, and I don't know if this is related to AnyConnect specifically or if it was custom scripting, but AnyConnect Surface tablet users' assets not only generate multiple asset IDs, but also generate pseudo-redirect DNS entries with the prefix of "ON" or "OF" (believed to indicate online or offline), also creating multiple asset IDs.

I have not found a successful way to merge the assets automatically. And with 1000s of users, I don't have the time to go in manually and delete the multiples. I've also tried to find a commonality b/w all the duplicated assets to see if I can add an exception to scanning. There are none.

As much as LS is an impeccable product, I would like to shy away from spending more money to up the asset license to "fix" this.

Has anyone run into this? Is there a fix?
Labels:
0 Kudos
5 REPLIES 5
DanHirschberg
Engaged Sweeper

‎01-10-2022 11:06 PM

Anyone ever wind up with a course of action for this issue?
0 Kudos
fjca
Champion Sweeper II

‎12-21-2021 08:51 PM

Can you check the Mac Address on the VPN adapters on the machines ?
At least in our (pretty standard) Cisco Anyconnect setup, it is always the same,00:05:9A:3C:7A:00 ...
From your description, it seems to be changing MAC's, but why is Lansweeper duplicating clients based on that seems wrong also...

And those DNS prefixes, that also seems odd...is the client doing DNS Dynamic Registration ?
0 Kudos
mhammond
Champion Sweeper
In response to fjca

‎12-22-2021 07:10 PM

fjca wrote:
Can you check the Mac Address on the VPN adapters on the machines ?
At least in our (pretty standard) Cisco Anyconnect setup, it is always the same,00:05:9A:3C:7A:00 ...
From your description, it seems to be changing MAC's, but why is Lansweeper duplicating clients based on that seems wrong also...

And those DNS prefixes, that also seems odd...is the client doing DNS Dynamic Registration ?



I will need to confer with our Network Engineer on that specifically. This was all set up before my time at the company so I'm not sure what was done in the background
0 Kudos
grimstar
Champion Sweeper II

‎12-20-2021 01:51 PM

Cripple.Zero wrote:
Hopefully the title/sub-title says it all.

To elaborate:
We utilize 2 VPN software suites in our company, both FortiNET Forticlient and Cisco AnyConnect. AnyConnect users' assets are generating IPs upon connection (as do Forticlient users' assets). But the difference is, while DNS/DHCP records of the Forticlient assets recycle the asset ID and match it appropriately, AnyConnect assets continue to generate separate asset IDs, thereby driving up license counts.

Additionally, and I don't know if this is related to AnyConnect specifically or if it was custom scripting, but AnyConnect Surface tablet users' assets not only generate multiple asset IDs, but also generate pseudo-redirect DNS entries with the prefix of "ON" or "OF" (believed to indicate online or offline), also creating multiple asset IDs.

I have not found a successful way to merge the assets automatically. And with 1000s of users, I don't have the time to go in manually and delete the multiples. I've also tried to find a commonality b/w all the duplicated assets to see if I can add an exception to scanning. There are none.

As much as LS is an impeccable product, I would like to shy away from spending more money to up the asset license to "fix" this.

Has anyone run into this? Is there a fix?


We also have a combination of FortiClient + AnyConnect in our environment and I just verified we do not have this issue. Are you syncing from any additional sources that need to be noted? Intune? No mac randomization going on anywhere? By psuedo-redirect DNS entries I'm assuming you are saying that they are not actually populating in DNS and are only in Lansweeper? Are you able to replicate it? If so I'd like to know the steps and I can test it out in my environment as well.
0 Kudos
mhammond
Champion Sweeper
In response to grimstar

‎12-22-2021 07:09 PM

RKCar wrote:
Cripple.Zero wrote:
Hopefully the title/sub-title says it all.

To elaborate:
We utilize 2 VPN software suites in our company, both FortiNET Forticlient and Cisco AnyConnect. AnyConnect users' assets are generating IPs upon connection (as do Forticlient users' assets). But the difference is, while DNS/DHCP records of the Forticlient assets recycle the asset ID and match it appropriately, AnyConnect assets continue to generate separate asset IDs, thereby driving up license counts.

Additionally, and I don't know if this is related to AnyConnect specifically or if it was custom scripting, but AnyConnect Surface tablet users' assets not only generate multiple asset IDs, but also generate pseudo-redirect DNS entries with the prefix of "ON" or "OF" (believed to indicate online or offline), also creating multiple asset IDs.

I have not found a successful way to merge the assets automatically. And with 1000s of users, I don't have the time to go in manually and delete the multiples. I've also tried to find a commonality b/w all the duplicated assets to see if I can add an exception to scanning. There are none.

As much as LS is an impeccable product, I would like to shy away from spending more money to up the asset license to "fix" this.

Has anyone run into this? Is there a fix?


We also have a combination of FortiClient + AnyConnect in our environment and I just verified we do not have this issue. Are you syncing from any additional sources that need to be noted? Intune? No mac randomization going on anywhere? By pseudo-redirect DNS entries I'm assuming you are saying that they are not actually populating in DNS and are only in Lansweeper? Are you able to replicate it? If so I'd like to know the steps and I can test it out in my environment as well.


Correct - I wasn't sure how to describe it. When I search "SUR" in LS (we prefix our Surface names as SUR), it comes up with the SUR-names as well as their matched ON or OF entries. So, for example, finding SUR004 in the list, SUR004 is listed, along with ON004, and multiples of OF004. When you click on any of the ON or OF entries, they "change" to the actual name of SUR004 on their own separate asset page. The ON and OF names only show up in LS and not anywhere on the network itself - no IP, no entry, no reference.

It's easy enough to tell that something with AnyConnect is happening, as the IP subnet is ALWAYS the AnyConnect subnet and NEVER the FortiClient in these instances.

As far as your other questions, I will need to confer with our Network Engineer to determine how that was all setup.
0 Kudos

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now