Cisco AnyConnect – Running ‘Logon Scripts / OnConnection Scripts’

KB ID 0001353


I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked. 

After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.

Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.


1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.

Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.

Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.

AnyConnect Script

2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.

ASDM Import AnyConnect Script

3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.

ASDM Create AnyConnect Profile

4. Edit your policy.

ASDM Edit AnyConnect Profile

5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.

ASDM AnyConnect Logon Script

6. Save the changes > Apply > File > Save Running Configuration to Flash.

ASDM Save Changes

Troubleshooting AnyConnect OnConnect / Logon Scripts

If theres a problem (i.e. it does not work.) Your first task is to make sure the client got the script, it saves it in the following location.

%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script

AnyConnect Script Troubleshooting

Connect your AnyConnect client, then execute each of the commands in the script locally to see why it’s not working.

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On


  1. Will this work with Windows 10?

    Post a Reply
  2. Hi Pete,

    is it possible to import 2 onconnect scripts to the ASA?
    one for windows anyconnect client and one for mac.
    how to make differentiation?
    if windows anyconnect client connects then install windows script.
    if mac anyconnect client connects then install mac script.

    Thx in advance

    Post a Reply
    • TBH I’ve never tried with mac, so I could not comment.

      Post a Reply
  3. Path provided under “Troubleshooting” section (%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect VPN Client\Script) does not match the path shown in the screenshot.
    The path in the screenshot is the correct path…
    %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *