Problem
Users with the AnyConnect Secure Web Gateway (SWG) module may have trouble signing in at some public hotspot locations.
Fix and Recommendations for further troubleshooting
Ensure that you are using AnyConnect version 4.10.05095(4.10MR5). Issues concerning captive portal are addressed in this version.
However, if the issue still persists even after upgrading to 4.10.05095 then please reach out to Umbrella Support.
In order to expedite the support process we ask customers to go through the steps below and collect the requested logs before reaching out to Umbrella Support.
1. We request customers configure all security agents installed on their endpoints to exclude AnyConnect binaries and connections to avoid conflict of policies. Hence, TrendMicro and/or any other security agent needs to be configured accordingly.
Refer to the relevant snippet from the AnyConnect
release notes and please make sure the exceptions for AnyConnect are made accordingly.
Configuring Antivirus Applications for AnyConnect.
Applications like antivirus, antimalware, and Intrusion Prevention System (IPS) can misinterpret the behavior of AnyConnect Secure Mobility Client applications as malicious. You can configure exceptions to avoid such misinterpretation. After installing the AnyConnect modules or packages, configure your antivirus software to allow the AnyConnect Installation folder or make security exceptions for the AnyConnect applications. The common directories to exclude are listed below, although the list may not be complete:
• C:\Users<user>\AppData\Local\Cisco
• C:\ProgramData\Cisco
• C:\Program Files x86)\Cisco
2. Visit both HTTP (for example, http:
3. If the issue still persists, please collect a
DART bundle (max debug enabled),
PCAP file (including loopback), and a screen recording (optional) to investigate further.
Details
Captive Portal issues can be caused by CSCwb39828 "Captive Portal page didn't open when SWG is enabled for both fail open/fail close". After upgrading to AnyConnect 4.10.05095 later, no additional configuration or user interaction is necessary.
Some wireless hotspots and other guest networks interrupt Internet access and redirect web traffic to a captive portal (sometimes called a walled garden). AnyConnect SWG versions prior to 4.10.05095 may attempt to send this web traffic to the Umbrella cloud even if Internet access is unavailable, which prevents the system from locally interacting with the captive portal. This local interaction may be required to grant access through authentication, payment, or a click-through agreement page.
Versions Prior to 4.10.05095
Support is limited for captive portals with earlier versions of AnyConnect when using SWG. The following actions of a captive portal will likely make it unreachable to a SWG client:
- Redirecting to, or loading of assets from, a destination outside of the RFC-1918 private IP address space.
- Accepting a TCP handshake for Umbrella proxies on port 80 or 443 and then closing the connection or providing an unexpected response.
As a workaround, add exceptions in the Deployments --> Domain Management --> External Domains & IPs section of the Umbrella Dashboard, for any destination that fails to load. Captive portal behavior is implementation-specific, so the required redirect domain(s) or IP addresses will vary with each hotspot.
