Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Omar Santos
Incident Manager and Technical Leader, PSIRT
IPSec
Client Software
Management
Encryption
Applications
IPSec
SSL VPN
Cost
Free License
User Environment
Connectivity
Thin-Client
Port redirection
for only TCP
applications
Smart tunnel
Client-Based
Full-SSL tunnel
AnyConnect
SVC
CSD
AnyConnect
AnyConnect 3.0
Operating System Support
CAPABILITY
Enhanced User Interface
IPsec (IKEv2) and SSL (TLS and DTLS)
WINDOWS
MAC
LINUX
2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mobile Device
Support does not
include the new
features in 3.0.
The latest iPhone/
iPad client is based
on 2.4.x code.
iPad
Detailed Statistics
and Diagnostics
Information that are
useful for
troubleshooting
Web-Deploy Packages
All supported OS Web-Deploy packages contain the following information:
headinfo.txt OS definition and xml file sizes
pkgversion.xml version info
VPNManifest.xml package module contents
Profile Schema files for Profile Editor
ServiceProfileManifest.xml profile info for Head-End and Downloader
Binaries (binaries\)
anyconnect and optional module installers (will vary with OS)
anyconnectprof.sgz profile editor
vpndownloader.exe downloader
update.txt build version
Files for Web-Launch Presentation
images\
locale\ (Windows Only)
profile\ (Mac & Linux)
Web-Deploy .pkg files - Zip files with a .pkg extension and can be opened
and viewed using WinZip.
Linux
ciscovpn main Anyconnect VPN installer binary
csd-3.0.x Cisco Secure Desktop package (not supported on Linux-64)
dart DART binary
AnyConnect Essentials
AnyConnect Essentials is a separately licensed SSL VPN client,
entirely configured on the Cisco ASA, that provides the full
AnyConnect capability, with the following exceptions:
No CSD (including HostScan/Vault/Cache Cleaner)
No clientless SSL VPN
Optional Mobile Support
ASDM: Configuration > Remote Access VPN > Advanced > AnyConnect Essentials License
CLI:
webvpn
anyconnect-essentials
Event Viewer
An Example of How Windows Event Viewer Looks
Uninstalling AnyConnect
Uninstall of AnyConnect Core is not supported
via Web-Deploy.
Pre-Deploy uninstall must be used.
Uninstall of optional components is effectively
achieved when the Upgrade of AnyConnect Core
removes the Plugins\ directory and its contents in
order to remove optional component functionality.
The Export Stats Saves the Information on the Statistics Screen, Along
with Other Connection Information, to a Text File for Troubleshooting
Topology: Example 1
209.165.200.224/27
Internet
Client
(AnyConnect)
10.10.10.0/24
outside
inside
.254
.225
.254
management
192.168.1.0/24
Management
(ASDM)
Corporate
Network
Problem Summary
User calls your VPN support staff and complains that his
AnyConnect VPN connection is not working!!
Problem Summary
First, lets take a look at some debugs you can use.
|
|
|
|
...?....._.u.{..
.WD-..user1..^1.
=.........L.x...
.........=.....
user1
You can also use the show aaa-server command to view statistics on
AAA transactions
asa# show aaa-server my-radius
Server Group:
my-radius
Server Protocol: radius
Server Address: 172.18.118.206
Server port:
1645(authentication), 1646(accounting)
Server status:
ACTIVE, Last transaction at 11:49:09 UTC Mon May 23 2011
Number of pending requests
0
Average round trip time
0ms
Number of authentication requests
11
Number of authorization requests
0
Number of accounting requests
0
Number of retransmissions
0
Number of accepts
1
Number of rejects
5
Number of challenges
0
Number of malformed responses
0
Number of bad authenticators
0
Number of timeouts
5
Number of unrecognized responses
0
Problem Summary
Routing Problem?
VPN Pool:
10.10.20.0/24
Internet
Client
(AnyConnect)
outside
Where is 10.10.20.x?
inside
.254
Corporate
Network
The internal router must have a route for the VPN IP Address Pool (10.10.20.0/24)
AnyConnect 3.0
Network Access ManagerHighlights
Intelligently detects and selects best
layer 2 access network(s)
Automatically connects to configured
networks. Automates
user-experience.
Wired is preferred over WiFi in
automatic mode.
Override with manual mode.
AnyConnect 3.0
Network Access ManagerUser Interface
Network tile:
Available when NAM is installed, inactive
when
service is disabled.
NAM Statistics
Message History
IKEv2 Support
Other IKEv2
Specific
Commands
Note: debug crypto ike-common can be used for both IKEv1 and IKEv2
Using DART
DART Wizard
Under Bundle Creation Option, select Default or Custom. The Default option includes the
typical log files and diagnostic information. DARTBundle.zip is saved to the local desktop. If
you choose Custom, the DART wizard allows you to specify where and what files want to
include in the bundle.
OS:
OS username:
Upload URL:
DART Mode:
Bundle on client computer:
=============================================================================================================================================
Cisco AnyConnect Secure Mobility Client:
Files Included in Bundle:
ID
Filename
Description
Truncate? Final Size Orig. Size
---------------------------------------------------------------------------------------------------------------------------ac-install
update_pre3.0.txt
AnyConnect install logs. Includes web
No
10 bytes
10 bytes
and standalone install logs
ac-install
anyconnect-win-2.3.0254-web
AnyConnect install logs. Includes web
No
322.35K
322.35K
-deploy-k9-install-22203701
and standalone install logs
062010.log
ac-install
update.txt
AnyConnect install logs. Includes web
No
10 bytes
10 bytes
and standalone install logs
ac-install
VPNManifest.dat
AnyConnect install logs. Includes web
No
181 bytes
181 bytes
and standalone install logs
ac-install
AnyConnectLocalPolicy.xml
AnyConnect install logs. Includes web
No
589 bytes
589 bytes
and standalone install logs
ac-install
UpdateHistory_20110405_1244
AnyConnect install logs. Includes web
No
705 bytes
705 bytes
00_log.txt
and standalone install logs
ac-logs
AnyConnect_pre3.0.txt
AnyConnect application logs
No
3.62M
3.62M
ac-logs
AnyConnect.txt
AnyConnect application logs
No
227.40K
227.40K
ac-logs
AnyConnect.evtx
AnyConnect application logs
No
1.06M
1.06M
ac-profile
CALO.xml
AnyConnect Profile
No
1.46K
1.46K
ac-profile
AnyConnectProfile.xsd
AnyConnect Profile
No
93.22K
93.22K
global-preferenc
preferences_global.xml
AnyConnect Global Preferences
No
546 bytes
546 bytes
es
user-preferences
preferences.xml
AnyConnect User Preferences
No
590 bytes
590 bytes
va-runtime
setupapi.app.log
Virtual Adapter runtime logs
No
320.88K
320.88K
va-runtime
setupapi.dev.log
Virtual Adapter runtime logs
No
9.70M
9.70M
----------------------------------------------------------------------------------------------------------------------------
Troubleshooting
Split Tunneling
Troubleshooting Trusted
Network Detection
Threat
Protection
Internal Users
Data Loss
Prevention
Anti-Phishing
Anywhere, Any
Device Connectivity
User Authentication
and Access Control
SaaS Security
ScanSafe
Internet bound web
communications
Internal
communications
AnyConnect Secure
Mobility Client
Always-On VPN
Internet
Trusted Network
News
User Identity
facebook.com
User
Authenticates
ASA
WCCP
Cisco Web
Security Appliance
Corporate AD
Untrusted Network
AnyConnect
Always-on VPN (admin
configurable)
Social Networking
ASA WSA
Authentication handoff (SSO)
Location-aware reporting
Enterprise SaaS
NOTE: Because the TND feature controls the AnyConnect client GUI
and automatically initiates connections, the GUI should run at all
times.
<AutomaticVPNPolicy>true
<TrustedDNSDomains>*.cisco.com</TrustedDNSDomains>
<TrustedDNSServers>10.44.124.*,10.102.6.247</TrustedDNSServers>
<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
</AutomaticVPNPolicy>
asa(config)# webvpn
asa(config-webvpn)# mus 10.10.10.0 255.255.255.0 inside
asa(config-webvpn)# mus password th1s!sap4sswd
asa(config-webvpn)# mus server enable 960 (The default port is 610)
asa(config-webvpn)# mus host mus.cisco.com
Internet
Client
(AnyConnect)
10.10.10.0/24
outside
inside
.254
.225
.254
.123
Web Security
Appliance (WSA)
management
192.168.1.0/24
Management
(ASDM)
AnyConnect Telemetry
Topology: Example 1
209.165.200.224/27
Internet
outside
IPv4
Client
(AnyConnect)
inside
IPv6
Corporate
Network
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
92
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
93
The assigned IPv6 address will be shown under the Statistics tab.
Thank you.