Cisco AnyConnect Secure

Mobility Client and Cisco ASA

Jazib Frahim
Advanced Services Technical Leader

Omar Santos
Incident Manager and Technical Leader, PSIRT

Introduction and Design

Considerations

IPSec or SSL VPN?

Differences
Feature

IPSec

Clientless SSL VPN

Client Software

Uses Cisco VPN Client software for

complete network access.

Uses a standard web browser to

access limited corporate network
resources and eliminates need for
separate client software.

Management

You must install and configure

Cisco VPN client.

You do not need to install a VPN

client. No configuration is required
on the client machine.

Encryption

Uses a variety of encryption and

hashing algorithms such as DES,
3DES, AES, SHA & MD5

Uses SSL encryption native to web

browsers.

Applications

Encapsulates all IP protocols,

including TCP, UDP, and ICMP.

Supports limited TCP-based client/

server applications in clientless
mode.
Note: AnyConnect client can
encapsulate all IP protocols.

IPSec or SSL VPN?

Differences
Feature

IPSec

SSL VPN

Cost

Free License

Must purchase a license

Many different types of licenses:
AnyConnect Essential,
AnyConnect Premium,
AnyConnect Mobile,
SSL Shared Premium

User Environment

Suited for permanent or full-time

telecommuters

Suited for all types of users

including contractors, temp
workers or even fulltime workers

Connectivity

Establishes seamless connection to

network.

Supports application connectivity

through browser portal.

SSL VPN Introduction

Clientless
Basic web access
E-mail access
CIFS access
Customized
user screen

Thin-Client
Port redirection
for only TCP
applications
Smart tunnel

Client-Based
Full-SSL tunnel
AnyConnect
SVC
CSD

AnyConnect

AnyConnect New Features in 3.0

in 3.0

Network Access Manager (Replacement for CSSC)

Telemetry
Host Scan
Web Security (ScanSafe Integration)
IPsec IKEv2
DART Enhancements
Windows Services Lockdown
Software and Profile Locks

Note: You can deploy the Web Security module

and benefit from the ScanSafe web scanning
services without having to install an ASA and
without enabling the VPN capabilities of the
AnyConnect Secure Mobility Client.

AnyConnect 3.0
Operating System Support
CAPABILITY
Enhanced User Interface
IPsec (IKEv2) and SSL (TLS and DTLS)

Network Access Manager

Web Security for ScanSafe
Integrated Posture (Host Scan)
Integrated Diagnostics and Reporting
Pre-install
Web-deploy and upgrade

WINDOWS

MAC

LINUX

AnyConnect Main Screen

in 3.0

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

iPad & iPhones

AnyConnect Client Mobile Device Support

Mobile Device
Support does not
include the new
features in 3.0.
The latest iPhone/
iPad client is based
on 2.4.x code.

AnyConnect Client Mobile Device Support

(cont.)

iPad

Detailed Statistics
and Diagnostics
Information that are
useful for
troubleshooting

Cisco AnyConnect VPN Client Deployment

Web-based

Pre-deploy (Standalone client)

Web-Deploy Packages
All supported OS Web-Deploy packages contain the following information:
headinfo.txt OS definition and xml file sizes
pkgversion.xml version info
VPNManifest.xml package module contents
Profile Schema files for Profile Editor
ServiceProfileManifest.xml profile info for Head-End and Downloader
Binaries (binaries\)
anyconnect and optional module installers (will vary with OS)
anyconnectprof.sgz profile editor
vpndownloader.exe downloader
update.txt build version
Files for Web-Launch Presentation
images\
locale\ (Windows Only)
profile\ (Mac & Linux)
Web-Deploy .pkg files - Zip files with a .pkg extension and can be opened
and viewed using WinZip.

Pre-Deploy Packages Contents

Windows
anyconnect-NGC-win-3.0.xxxx-k9.iso
Anyconnect-dart-win-3.0.xxxx-k9.msi
Anyconnect-gina-win-3.0.xxxx-pre-deploy-k9.msi
Anyconnect-nam-win-3.0.xxxx-k9.msi
Anyconnect-posture-win-3.0.xxxx-pre-deploy-k9.msi
Anyconnect-telemetry-win-3.0.xxxx-pre-deploy-k9.msi
Anyconnect-win-3.0.xxxx-pre-deploy-k9.msi
Setup.exe
setup.hta Pre-deploy Installer Utility code
update.txt build version
autorun.inf
GUI.ico
cues_bg.jpg

Pre-Deploy Packages Contents

MAC (darwin-intel)
vpn.pkg main Anyconnect VPN installer package
csd.pkg Cisco Secure Desktop package
dart.pkg - Diagnostics and Reporting Tool (DART) that you can use to collect
data useful for troubleshooting AnyConnect installation and connection
problems.

Linux
ciscovpn main Anyconnect VPN installer binary
csd-3.0.x Cisco Secure Desktop package (not supported on Linux-64)
dart DART binary

AnyConnect Essentials
AnyConnect Essentials is a separately licensed SSL VPN client,
entirely configured on the Cisco ASA, that provides the full
AnyConnect capability, with the following exceptions:
No CSD (including HostScan/Vault/Cache Cleaner)
No clientless SSL VPN
Optional Mobile Support
ASDM: Configuration > Remote Access VPN > Advanced > AnyConnect Essentials License

CLI:

webvpn
anyconnect-essentials

AnyConnect User XML Profile

The AnyConnect Client Uses an XML File for
User Profiles and Configuration Settings
On Windows machines, the profile will be stored in
Documents and Settings\All Users\Application
Data\Cisco\Cisco AnyConnect VPN
Client\Profile\AnyConnectProfile.tmpl

On non-Windows machines the location will be /opt/cisco/vpn/profile/

AnyConnectProfile.tmpl
The profile may be validated using the AnyConnectProfile.xsd file. This file
is installed during installation
On Windows the preferences are stored in:
Documents and Settings\<user>\Application Data\Cisco\Cisco AnyConnect
VPN Client\preferences.xml

AnyConnect 3.0 Profile Editor

Simplifies the act of creating valid client profiles for various
AnyConnect components.
In AnyConnect 2.5, there was just one AnyConnect component
(VPN) that could be configured using an ASDM-integrated
Profile Editor.
In AnyConnect 3.0, there are four AnyConnect components
that can be configured using the Profile Editor:
1. VPN
2. NAM (Network Access Manager)
3. Web Security (ScanSafe)
4. Telemetry

AnyConnect Installation Issues

Logging on Windows will utilize the Windows event viewer; review
the log messages in Cisco AnyConnect VPN Client
You can save the Cisco AnyConnect VPN Client
log from the event viewer
in .evt format
Linux location:
/var/log/messages
Mac location:
/var/log/system.log
NOTE: More tips included in the Appendix

Event Viewer
An Example of How Windows Event Viewer Looks

Uninstalling AnyConnect
Uninstall of AnyConnect Core is not supported
via Web-Deploy.
Pre-Deploy uninstall must be used.
Uninstall of optional components is effectively
achieved when the Upgrade of AnyConnect Core
removes the Plugins\ directory and its contents in
order to remove optional component functionality.

AnyConnect Client GUI Statistics

The Export Stats Saves the Information on the Statistics Screen, Along
with Other Connection Information, to a Text File for Troubleshooting

Configuration and Basic

Troubleshooting

Topology: Example 1

209.165.200.224/27

Internet
Client
(AnyConnect)

10.10.10.0/24

outside

inside
.254

.225
.254

management
192.168.1.0/24

Management
(ASDM)

Corporate
Network

AnyConnect VPN Wizard

Select the AnyConnect

VPN Wizard

AnyConnect VPN Wizard (cont.)

Click Next to Start

the Wizard

AnyConnect VPN Wizard (cont.)

Enter the connection

profile
Select the Interface
where VPN clients will
conect to

AnyConnect VPN Wizard (cont.)

Select the Anyconnect
Image to be used

You can also select the

operating system of the
client to give the user
the options to select the
Anyconnect image that
is appropriate for his/
her environment

AnyConnect VPN Wizard (cont.)

Select the
authentication method
In this example LOCAL
auth is used
user1 is used in this
example

AnyConnect VPN Wizard (cont.)

Create an IPv4 (or

IPv6) address pool.

AnyConnect VPN Wizard (cont.)

Enter the DNS and

WINS servers and enter
the domain name to be
used.

AnyConnect VPN Wizard (cont.)

If NAT is being used this
step allows you to
create a NAT exemption
rule (to bypass NAT)

AnyConnect VPN Wizard (cont.)

Click Next to advance

to the Summary of
configuration changes
that will be applied

AnyConnect VPN Wizard (cont.)

Summary of everything
that will be configured
(as per your entries in
previos steps)

AnyConnect Connection Profiles

After the changes are
applied to the ASA you
can see the new
connection profile under
Configuration >
Remote Access VPN >
Network (Client)
Access > AnyConnect
Profiles

AnyConnect VPN Config in the CLI

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.1047-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_my-connection-profile internal
group-policy GroupPolicy_my-connection-profile attributes
wins-server value 10.10.10.123
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
default-domain value cisco.com
username user1 password 08S9WUsiSMr3RauN encrypted
tunnel-group my-connection-profile type remote-access
tunnel-group my-connection-profile general-attributes
address-pool my-pool
default-group-policy GroupPolicy_my-connection-profile
tunnel-group my-connection-profile webvpn-attributes
group-alias my-connection-profile enable

AnyConnect Statistics After Connection

AnyConnect Route Details

AnyConnect Message History

Case Study: Authentication

Problems

Problem Summary
User calls your VPN support staff and complains that his
AnyConnect VPN connection is not working!!

What can you do

to troubleshoot?

Problem Summary
First, lets take a look at some debugs you can use.

show vpn-sessiondb anyconnect filter

p-ipaddress 100.1.1.1
debug webvpn anyconnect
debug aaa common

debug webvpn anyconnect 255 (good auth)

ciscoasa# webvpn_rx_data_tunnel_connect
CSTP state = HEADER_PROCESSING
http_parse_cstp_method()
...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'
webvpn_cstp_parse_request_field()
...input: 'Host: 209.165.200.225'
Processing CSTP header line: 'Host: 209.165.200.225'
webvpn_cstp_parse_request_field()
...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629'
Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629'
Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.0.0629'
<output omited>
Validating address: 0.0.0.0
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_address: 10.10.20.1/255.255.255.0
webvpn_cstp_accept_ipv6_address: No IPv6 Address
CSTP state = HAVE_ADDRESS
<output omited>
SVC: adding to sessmgmt
SVC: Sending response
Sending X-CSTP-FW-RULE msgs: Start
Sending X-CSTP-FW-RULE msgs: Done
Sending X-CSTP-Quarantine: false
Sending X-CSTP-Disable-Always-On-VPN: false
vpn_put_uauth success!
CSTP state = CONNECTED

debug aaa common

(bad communication to server)
radius mkreq: 0x19
alloc_rip 0xcbeb5d00
new request 0x19 --> 20 (0xcbeb5d00)
got user 'user1'
got password
add_req 0xcbeb5d00 session 0x19 id 20
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
-------------------------------------Raw packet data (length = 63).....
01 14 00 3f b2 03 80 b9 fe 5f ac 75 0a 7b 98 f1
d6 57 44 2d 01 07 75 73 65 72 31 02 12 5e 31 87
3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 04 06 0a
0a 0a fe 05 06 00 00 00 02 3d 06 00 00 00 05
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 20 (0x14)
Radius: Length = 63 (0x003F)
Radius: Vector: B20380B9FE5FAC750A7B98F1D657442D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31
Radius: Type = 2 (0x02) User-Password
CONTINUED IN THE NEXT SLIDE

|
|
|
|

...?....._.u.{..
.WD-..user1..^1.
=.........L.x...
.........=.....

user1

debug aaa common

(bad communication to server) continued
CONTINUED FROM THE PREVIOUS SLIDE
Radius: Length = 18 (0x12)
Radius: Value (String) =
5e 31 87 3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78
| ^1.=.........L.x
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.10.10.254 (0x0A0A0AFE)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.18.104.83/1645
RADIUS_SENT:server response timeout
callback_aaa_task: status = -2, msg =
RADIUS_DELETE
remove_req 0xcbeb5d00 session 0x19 id 20
free_rip 0xcbeb5d00
radius: send queue empty

debug aaa common (there still a problem!!)

We fixed the previous problem. The Cisco ASA had the wrong IP address for the
AAA server. The correct IP address is 172.18.118.206 not 172.18.104.83.
However, authentication still not successful. Whats the problem?
<output omitted for brevity>
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.18.118.206/1645
fail request 0x1c (172.18.118.206 failed)
callback_aaa_task: status = -2, msg =
RADIUS_DELETE
remove_req 0xcbeb5d00 session 0x1c id 23
free_rip 0xcbeb5d00
radius: send queue empty

What was the Problem?

The problem was that the AAA server didnt have the correct NAS (AAA Client
address) for the ASA. It had 10.10.10.54 instead of 10.10.10.254

You can also use the show aaa-server command to view statistics on
AAA transactions
asa# show aaa-server my-radius
Server Group:
my-radius
Server Protocol: radius
Server Address: 172.18.118.206
Server port:
1645(authentication), 1646(accounting)
Server status:
ACTIVE, Last transaction at 11:49:09 UTC Mon May 23 2011
Number of pending requests
0
Average round trip time
0ms
Number of authentication requests
11
Number of authorization requests
0
Number of accounting requests
0
Number of retransmissions
0
Number of accepts
1
Number of rejects
5
Number of challenges
0
Number of malformed responses
0
Number of bad authenticators
0
Number of timeouts
5
Number of unrecognized responses
0

Case Study: User Connects But

Cannot Pass Traffic

Problem Summary

User is able to authenticatebut cannot pass

traffic.
What can you do
to troubleshoot?

AnyConnect Route Details

AnyConnect Statistics After Connection

Routing Problem?
VPN Pool:
10.10.20.0/24

Internet
Client
(AnyConnect)

outside

Where is 10.10.20.x?

inside
.254

Corporate
Network

The internal router must have a route for the VPN IP Address Pool (10.10.20.0/24)

ACL Bypass Problem?

You can require an access rule to apply to the

local IP addresses by unchecking this check
box. The access rule applies to the assigned IP
address, and not to the original client IP
address used before the VPN packet was
decrypted.

ciscoasa# show run sysopt

no sysopt connection permit-vpn

Overview of Network Access

Manager (NAM)

AnyConnect 3.0
Network Access ManagerHighlights
Intelligently detects and selects best
layer 2 access network(s)
Automatically connects to configured
networks. Automates
user-experience.
Wired is preferred over WiFi in
automatic mode.
Override with manual mode.

One connection at a time

All other connections are blocked

Post-connection script launch:

Script runs on user context
Can be defined by admin or user (if
allowed)

Enterprise-class Server Validation

Multiple validation rules per connection

Remote desktop support

Extend User Connection beyond Logoff

AnyConnect 3.0
Network Access ManagerUser Interface
Network tile:
Available when NAM is installed, inactive
when
service is disabled.

Network Selection (Combo) Box:

Configured Networks (bold face)
Scan-list
Signal strength and security indicators
Allows user to add new network profiles
Connection mode: automatic vs. manual
override.

Network State Information:

Indicates authentication progress
Connected state shows IP address

Disable Wi-Fi button:

Turns radio off
Transmit power is set to zero

Network Access Manager Configuration

Supports these main features:
Wired (IEEE 802.3) and wireless (IEEE
802.11) network adapters
Pre-login authentication using Windows
machine credentials
Single sign-on user authentication using
Windows logon credentials
Simplified and easy-to-use IEEE 802.1X
configuration
IEEE MACsec wired encryption and enterprise
policy control
EAP methods:
EAP-FAST, PEAP, EAP-TTLS, EAP-TLS, and
LEAP (EAP-MD5, EAP-GTC, and EAPMSCHAPv2 for IEEE 802.3 wired only)

NAM Statistics

Message History

Main Status Overview Screen

IKEv2 Support

IPSec IKEv2 Support

IKEv2 support uses Ciscos IKEv2 implementation:
IKEv2 toolkit is common in client, ASA and IOS
Standards-based implementation
Includes a few extensions (fragmentation, redirect)
Same authentication methods supported previously with SSL VPN
Uses proprietary EAP method (AnyConnect EAP)
Some AnyConnect features require a parallel SSL connection:
CSD HostScan
Profile updates
Language/Customization
Application upgrades
SCEP

Not Supported in IKEv2

Windows 7 IKEv2 client or any other 3rd-party IKEv2 client
HW client support for IKEv2 (5505 as a head-end/Secure Gateway using
IKEv2 is supported)
Pre-shared-key authentication for client or server
IKEv2 encryption for load-balancing link to other ASAs
cTCP, L2TP
Re-authentication
Peer ID check
Compression/IPcomp
NAC
3rd party firewall configuration
IPv6 (any form of IPv6 that is, IPV6-over-IPv4, IPv6-over-IPv6,etc)

Quick Configuration Notes

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 2
prf sha
lifetime seconds 86400

New IKEv2 Policies

Quick Configuration Notes (cont.)

crypto ikev2 remote-access trust-point my-ikev2-trustpoint

crypto ikev2 enable outside
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-sa 100

Other IKEv2
Specific
Commands

ikev2 remote-authentication certificate my-ikev2-trustpoint

More Configuration Tips and Examples at:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html

IKEv2 Debug Commands

debug crypto ikev2 platform
Debugs ASA processing of IKEv2, not protocol specific exchanges.
This debug is useful for AAA and session management issues. Also to
troubleshoot the ASA cryptographic module performing encryption and
decryption.
debug crypto ikev2 protocol
Debugs IKEv2 protocol specific exchanges.
debug crypto ikev2 timer
Debugs IKEv2 timer expiration. Useful when clients are complaining that
their connection is being timed-out too often.

Note: debug crypto ike-common can be used for both IKEv1 and IKEv2

Using DART

Using DART to Gather Troubleshooting Info

DART is the AnyConnect Diagnostics and Reporting Tool that you can
use to collect data useful for troubleshooting AnyConnect installation and
connection problems.
To Launch DART go to
the Status Overview
Tab and click on
Diagnostics

DART Wizard
Under Bundle Creation Option, select Default or Custom. The Default option includes the
typical log files and diagnostic information. DARTBundle.zip is saved to the local desktop. If
you choose Custom, the DART wizard allows you to specify where and what files want to
include in the bundle.

DART Wizard (continued)

DART Bundle Files

DART BUNDLE SUMMARY
Username:
Time:

unknown (user is offline, or username was not specified in Request)

Tue Apr 05 17:12:17 2011

OS:
OS username:
Upload URL:
DART Mode:
Bundle on client computer:

Win7 : WinNT 6.1.7600

omar
None (offline mode)
User-Initiated/Offline Mode
C:\Users\omar\Desktop\DARTBundle_0405_1353.zip

=============================================================================================================================================
Cisco AnyConnect Secure Mobility Client:
Files Included in Bundle:
ID
Filename
Description
Truncate? Final Size Orig. Size
---------------------------------------------------------------------------------------------------------------------------ac-install
update_pre3.0.txt
AnyConnect install logs. Includes web
No
10 bytes
10 bytes
and standalone install logs
ac-install
anyconnect-win-2.3.0254-web
AnyConnect install logs. Includes web
No
322.35K
322.35K
-deploy-k9-install-22203701
and standalone install logs
062010.log
ac-install
update.txt
AnyConnect install logs. Includes web
No
10 bytes
10 bytes
and standalone install logs
ac-install
VPNManifest.dat
AnyConnect install logs. Includes web
No
181 bytes
181 bytes
and standalone install logs
ac-install
AnyConnectLocalPolicy.xml
AnyConnect install logs. Includes web
No
589 bytes
589 bytes
and standalone install logs
ac-install
UpdateHistory_20110405_1244
AnyConnect install logs. Includes web
No
705 bytes
705 bytes
00_log.txt
and standalone install logs
ac-logs
AnyConnect_pre3.0.txt
AnyConnect application logs
No
3.62M
3.62M
ac-logs
AnyConnect.txt
AnyConnect application logs
No
227.40K
227.40K
ac-logs
AnyConnect.evtx
AnyConnect application logs
No
1.06M
1.06M
ac-profile
CALO.xml
AnyConnect Profile
No
1.46K
1.46K
ac-profile
AnyConnectProfile.xsd
AnyConnect Profile
No
93.22K
93.22K
global-preferenc
preferences_global.xml
AnyConnect Global Preferences
No
546 bytes
546 bytes
es
user-preferences
preferences.xml
AnyConnect User Preferences
No
590 bytes
590 bytes
va-runtime
setupapi.app.log
Virtual Adapter runtime logs
No
320.88K
320.88K
va-runtime
setupapi.dev.log
Virtual Adapter runtime logs
No
9.70M
9.70M
----------------------------------------------------------------------------------------------------------------------------

MANY, MANY, MANY, MANY more

Troubleshooting
Split Tunneling

Split Tunneling Introduction

Split tunneling lets you specify that certain data traffic is encrypted, while the
remainder is sent in the clear (unencrypted). Split-tunneling network lists
distinguish networks that require traffic to go through the tunnel from those that
do not require tunneling. The ASA makes split-tunneling decisions based on a
network list, which is an ACL consisting of a list of addresses on the private
network.

Troubleshooting Split Tunneling

Step 1. Ask your user to go to Route Details and check if the split
tunneling list/routes are there:

Troubleshooting Split Tunneling (cont.)

Step 2. If your users client does not have the correct routes, check that
your ASA has the correct access lists for split tunneling for the group the
user is connecting.
Step 3. Enable debug webvpn svc <1-255> and look for the following
messages:
SVC ACL Name: NULL
SVC ACL ID: -1
SVC ACL ID: -1
If you see those messages, the split tunneling information is NOT being
sent to the client.

Troubleshooting Trusted
Network Detection

Identity Traversal Via Existing Network

Cisco SaaS Access Control
SaaS Single
Sign On
Remote Users

Threat
Protection

Internal Users

Data Loss
Prevention

Anti-Phishing

Visibility Via Unified Reporting

Anywhere, Any
Device Connectivity

User Authentication
and Access Control

Web Single Sign-On

for SaaS Apps

SaaS Security

Always On Security w/ScanSafe

New in AnyConnect 3.0

ScanSafe
Internet bound web
communications

Internal
communications

AnyConnect Secure
Mobility Client

Persistent Security and Policy Enforcement

Always-On VPN

Internet

Trusted Network

News

User Identity

Email

facebook.com
User
Authenticates

ASA

WCCP

Cisco Web
Security Appliance

Corporate AD

Untrusted Network

AnyConnect
Always-on VPN (admin
configurable)

Social Networking

ASA WSA
Authentication handoff (SSO)

Optimal head end auto-detect

Identity and location aware

policy enforcement

Transparent auth (certificate)

Location-aware reporting

Enterprise SaaS

Trusted Network Detection

AnyConnect automatically disconnects a VPN connection when the
user is inside the corporate network (the trusted network) and start
the VPN connection when the user is outside the corporate network
(the untrusted network).
This feature encourages greater security awareness by initiating a
VPN connection when the user is outside the trusted network.

NOTE: Because the TND feature controls the AnyConnect client GUI
and automatically initiates connections, the GUI should run at all
times.

Trusted Network Detection

You configure TND in the AnyConnect profile (AnyConnectProfile.xml) .
No configuration is needed on the ASA.
The following text shows the Client Initialization section of the profile file
with the TND parameters configured:

<AutomaticVPNPolicy>true
<TrustedDNSDomains>*.cisco.com</TrustedDNSDomains>
<TrustedDNSServers>10.44.124.*,10.102.6.247</TrustedDNSServers>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
</AutomaticVPNPolicy>

Configuring Mobile User Security (MUS)

MUS is a "solution" which provides an "always-on" SSL VPN connection
from a mobile user to the ASA, which then directs the traffic to one or
more WSAs for content filtering.

asa(config)# webvpn
asa(config-webvpn)# mus 10.10.10.0 255.255.255.0 inside
asa(config-webvpn)# mus password th1s!sap4sswd
asa(config-webvpn)# mus server enable 960 (The default port is 610)
asa(config-webvpn)# mus host mus.cisco.com

Debuging MUS Connections

debug webvpn mus
asa# Listening WSA on 11999
MUS:timeout: Last update started 0; Next check in 5
MUS:timeout: Last update started 0; Next check in 5
MUS:timeout: Last update started 0; Next check in 5

show webvpn mus

ciscoasa(config)# show webvpn mus
No active WSA connections

Mobile User Security Routing Problems

One of the common problems in MUS implementations is routing issues due
to misconfigured or lack of the tunnel default gateway.
Tunnel Default
Gateway
209.165.200.224/27

Internet
Client
(AnyConnect)

10.10.10.0/24

outside

inside
.254

.225
.254

.123
Web Security
Appliance (WSA)

management
192.168.1.0/24

Management
(ASDM)

route inside 0.0.0.0 0.0.0.0 10.10.10.123 tunneled

AnyConnect Telemetry

Introduction to the AnyConnect Telemetry

Module
The AnyConnect telemetry module for
AnyConnect Secure Mobility Client sends
information about the origin of malicious
content to the web filtering infrastructure of
the Cisco IronPort Web Security Appliance
(WSA).
The web filtering infrastructure uses this
data to strengthen its web security
scanning algorithms, improve the accuracy
of the URL categories and web reputation
database, and ultimately provide better
URL filtering rules.

AnyConnect Telemetry Module Capabilities

The AnyConnect telemetry module performs these functions:
Monitors the arrival of content on the endpoint.
Identifies and records the origin of any content received by the endpoint
whenever possible.
Reports detection of malicious content, and its origin to Cisco's Threat
Operations Center.
Checks the ASA every 24 hours for an updated Host Scan image. If there
is an updated Host Scan image available, it pulls down the image to the
endpoint.

Important Files During Troubleshooting

actsettings.xml
Installed on the endpoint at: %ALLUSERSPROFILE%\Application Data
\Cisco\Cisco AnyConnect Secure Mobility Client \Telemetry
File contains the base configuration for Telemetry.
telemetry_profile.tsp
The name of this file is specified by the ASA administrator.
Stored on the ASA. Its location is specified on the client profile screen (ASDM):
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect
Client Profile
All elements defined in this file overwrite those in the actsettings.xml file.

AnyConnect SSL VPN Lab

AnyConnect IPv6 Support

Topology: Example 1

209.165.200.224/27

Internet

outside
IPv4

Client
(AnyConnect)

inside
IPv6

Corporate
Network

The SSL VPN Tunnel must be terminated using

IPv4. The client is then assigned an IPv6 address
in order to pass IPv6 traffic over the SSL tunnel.

IPv6 Support in AnyConnect Client

The ASA does not support IPv6 addresses for split
tunneling

The local print feature does not support IPv6 printers.

Client firewall does not support IPv6 devices on the local

network

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

92

Cisco ASA Configuration: IPv6 Pool

Configuration on the ASA is
very simple:
Create an IPv6 Pool in the
Cisco ASA for the AnyConnect
Client Connections.
Enter the Starting IP Address,
Prefix Length and Number of
IPv6 Addresses to be assigned.

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

93

IPv6 Assigned Address

The assigned IPv6 address will be shown under the Statistics tab.

IPv6 AnyConnect Lab

Thank you.