Performance : Anyconnect vs. IPSEC
Currently running a pair of 5520 as VPN routers. running 8.0.3, been using only Anyconnect SSL VPN for end users. These boxes do nothing else except serve VPN clients.
However, recently we tried testing some IPSEC clients and are realizing that the Anyconnect SSL VPN clients is about 10x slower than the IPSEC client.
From my house, downloading either CIFS or FTP, I can pull pretty close to 1.0mbps, while using Anyconnect, I pull 0.1mbps.
Any ideas what could be causing this slowdown? Should SSL VPN performance be on par with IPSEC?
Clients all are windows 7, 64 bit. and the testing is being conducted on the same device.
will do. sh vpn-any doesn't take.
Can't seem to find the same info as from ASDM. Seeing only one DTLS session below.
dhr-5668-fw# sh v?
version vlan vpdn vpn
vpn-sessiondb
dhr-5668-fw# sh vpn-sessiondb ?
detail Show detailed output
email-proxy Email-Proxy sessions
full Output formatted for data management programs
index Index of session
l2l IPsec LAN-to-LAN sessions
ratio Show VPN Session protocol or encryption ratios
remote IPsec Remote Access sessions
summary Show VPN Session summary
svc SSL VPN Client sessions
vpn-lb VPN Load Balancing Mgmt sessions
webvpn WebVPN sessions
| Output modifiers
dhr-5668-fw# sh vpn-sessiondb
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
SSL VPN : 23 : 1899 : 64
Clientless only : 0 : 301 : 5
With client : 23 : 1598 : 60 : 0
Email Proxy : 0 : 0 : 0
IPsec LAN-to-LAN : 2 : 15 : 3
IPsec Remote Access : 0 : 0 : 0
VPN Load Balancing : 0 : 0 : 0
Totals : 25 : 1914
License Information:
IPsec : 250 Configured : 250 Active : 2 Load : 1%
SSL VPN : 250 Configured : 250 Active : 23 Load : 9%
Active : Cumulative : Peak Concurrent
IPsec : 2 : 15 : 3
SSL VPN : 23 : 1899 : 64
AnyConnect Mobile : 0 : 0 : 0
Linksys Phone : 0 : 0 : 0
Totals : 25 : 1914
Tunnels:
Active : Cumulative : Peak Concurrent
IKE : 2 : 15 : 3
IPsec : 5 : 64 : 6
IPsecOverNatT : 10 : 167 : 11
Clientless : 23 : 1899 : 64
SSL-Tunnel : 23 : 3128 : 60
DTLS-Tunnel : 0 : 1 : 1
Totals : 63 : 5274
Similar Messages
-
Can AnyConnect & Cisco IPsec co-exist on client pc?
Hi- a home user has to connect to one
business using AnyConnect and to us using Cisco IPsec client.
When installing AnyConnect, it wiped out the IPSec client. Can they co-exist on his pc and function side by side?
I'm sure they can't be used simultaneously, but can't both clients be installed for very different connections?
He's running 32-bit xp.
Thanks.Kathy
I am surprised that installation of AnyConnect removed the traditional IPSec client. I have not had that experience. I have several PCs running Windows XP SP3 which have both AnyConnect and IPSec clients installed. Either client works just fine (but not both at the same time).
HTH
Rick -
Samsung Tab 10.1 WiFi Balck 2014 Edition - Anyconnect and IPSec don't work
I have an employee with a Samsung Tab 10.1 2014 black wifi only edition tablet. She has tried to use both an IPsec connection and the Anyconnect for ICS+ (and the Anyconnect normal Android client and also the OpenConnect open source alternative to Anyconnect).
The problematic behavior is the same on any VPN connection. The vpn client connects and then no traffic makes use of it. I can see the VPN session on the firewall and it shows no decrypted/decapsulated packets. Additionally, the tablet loses all internet access once the VPN connects (whether it is IPsec or Anyconnect) even though the VPN is set to use split tunneling (and I can see in the connection details that it is only set to tunnel a couple of /24 networks in the 10.x.x.x range).
I have at least 20 other users that use the same VPN session groups with a variety of Windows, iOS and Android devices and so far, this Samsung tablet is the only problem.
I have tried different accounts on this tablet and I have tried this employee's account on other devices and the problem remains only on the tablet. Her account works great logging in on my Samsung Galaxy S4 using both IPsec and Anyconnect client software. My account shows the same problem as her account when used on her tablet.
I have applied all available updates on her tablet, it is currently running Android 4.4.2 and there are no updates available from Samsung for it.
My phone is running 4.4.4 but the client app versions are the same on both devices.
She has even exchanged the tablet for a replacement of the same model.
Can anyone suggest any additional troubleshooting or cause for this problem?
Basically it is as if the vpn client software works fine but the Android operating system simply ignores it except to stop all internet access.The warranty entitles you to complimentary phone support.
If you bought the product in the U.S. directly from Apple (not from a reseller), you have 14 days from the date of delivery in which to exchange or return it for a refund. In other countries, the return policy may be different. If you bought from a reseller, its return policy applies. -
Anyconnect and IPSec on ASA5505
hello,
ASA 5505 has only 2 SSL VPN peers and 25 VPN peers. When we connect to our company via AnyConnect I can see that these persons use protocol IKEv2 IPsecOverNatT. so it's suggested that they don't use SSL VPN. But when the third person is trying to connect via AnyConnect, receives information about failied login.
is it possible to set up AnyConnect or on ASA that everyone who is defined on ASA uses only IPsec, not SSL VPN?
I'm using
ASA version: 9.1
ASDM version: 7.1
thanks for your help
RobertFor AnyConnect you need an additional license if you want to exceed two concurent users. This is also for IPSec.
You have two choices:
1) Buy the license L-ASA-AC-E-5505= it's about $50)
2) Configure IKEv1 and use the traditional IPSec VPN-Client (EOS/EOL is announced for the Cisco client, but there are many other clients available)
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Monitoring Center for Performance 2 GRE IPSec
Hi, guys
Would you please tell me if "Monitoring Center for Performance 2" as it is bundled with VMS 2.3 supports monitoring for GRE IPSec?
I know for sure that "Cisco Performance Monitor 3.0", which is bundled with CSM has this functionality.
Thanks in advance,
MladenYes , Performance Monitor as part of VMS 2.3.
Use this document for :Release Notes for Monitoring Center for Performance 2.0.2 on Windows and Solaris
http://www.cisco.com/en/US/docs/security/security_management/vms/mcp/2.0.2/release/notes/release.html -
My company need the following register edit changes to create VPN connection in Windows OS to connect my company's network.
Start a registry editor (e.g., regedit.exe).
Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters subkey.
From the Edit menu, select New, DWORD Value.
Enter a name of ProhibitIpSec and press Enter.
Double-click the new value, set it to 1, and click OK.
Now i change to Mac in OS 10.8.x; when i try to config the VPN connection, it keeps asking me the pre-share key (even in Android device).
Can anyone teach me how to do it on Mac, IOSIf you disable all of the remote access types (anyconnect, clientless, ipsec, etc.) it will still allow users to connect. Instead you have to get on the CLI and go into the group policy "group-policy attributes" then type "vpn-simultaneous-logins 0"
According to the command output below this should disable all logins:
VPN(config-group-policy)# vpn-simultaneous-logins ?
group-policy mode commands/options:
<0-2147483647> Maximum number of simultaneous logins allowed, enter 0 to
disable login and prevent user access
Note: that doesn't disconnect the clients that are already connected. You will have to do the following for the tunnel-group "vpn-sessiondb logoff tunnel-group " -
IPSEC or authentication between CE routers
Hi am doing a research project for my masters degree and i was thinking of comparing the performance of deploying IPSEC and authentication between CE routers. so can someone provide me with some links on this and tell me how can i gather data from actual routers to compare the performance.
Thanks in advance
Srijal Guptahttp://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455af8.html.
HTH -
IPSec ikev2 between ASA and Cisco Router
Hi,
i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
- Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
- Authentication with Certificats
- integrity sha2
I try a lot of configurations without success.
Thanks for your help.
MicThe more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
Best option with very little needed configuration:
Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
Best option with a little stronger crypto but more configuration:
Move to AnyConnect with IPsec/IKEv2.
Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
For option 1) and 2) there is an extra license needed, but thats not very expensive. -
ASA and ACS 5 multiple VPN profiles for one user
Hi there
I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
ACS 5.3 group hierarchy:
- VPN users global
-- VPN users A
-- VPN users B
ASA VPN profiles:
- VPN profile A
- VPN profile B
- VPN profile Z
VPN authorizations:
1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
Thanks a lot in advance and best regards
DominicHi Dominic,
first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
vendor ID = 3076, attribute 150 is "Client Type" (integer)
0 = No Client specified 1 = Cisco VPN Client (IKEv1) 2 = AnyConnect Client SSL VPN 3 = Clientless SSL VPN 4 = Cut-Through-Proxy 5 = L2TP/IPsec SSL VPN 6 = AnyConnect Client IPsec VPN (IKEv2)
So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
hth
Herbert -
Ikev2 VPN without using a SSL license? (ASA-5512)
Hi All,
I've enabled Cisco "Anyconnect Premium Peers" for client less ssl vpn connections, the obvious catch is that for ikev2 Anyconnect sessions it wants to use up the SSL license pool instead of the IPSEC pool (which I have lots of connection licenses for "Total VPN Peers : 250".
* Is there any way to configure Anyconnect to connect via IPSEC and use an IPSEC license (while keeping the Anyconnect Premium Peers enabled)?
* Do I have to consider 3rd party vpn clients, outside Anyconnect?
cya
CraigRemote-Access sessions with IKEv2 will always consume a Premium license. Changing to a different client won't help unless you change to a client that uses the legacy EasyVPN technology. But that shouldn't be the solution.
If you enable AnyConnect Essentials, you can use AnyConnect with IPSec up to the platform-limit but you can't use the premium-features (like clientless) anymore at the same time.
In a situation like that where lots of AnyConnect-Sessions were needed and only a couple of clientless sessions, I installed AnyConnectEssentials on the main ASA and deployed another ASA only for clientless VPN. Due to the high cost of the VPN-premium licenses it was much cheaper then buying Premium licenses for all VPN users.
Sent from Cisco Technical Support iPad App -
Hi all and thank you in advance for any you help/advice you might be able to offer....
I'm having problems getting a WLC (7.0.220.0) working using LDAP (Windows 2008). This evening, in an effort to troubleshoot the problem further, I have configured the customer's ASA to use LDAP too and run a test....as you can see below, the test works flawlessly (on the ASA).
aaa-server LDAP_TEST protocol ldap
aaa-server LDAP_TEST host x.x.x.x
server-port 389
ldap-base-dn OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz
ldap-scope subtree
ldap-login-password *
ldap-login-dn CN=ldap,OU=Users,OU=IT Dept (South),DC=yyy,DC=co,DC=zzz
server-type microsoft
ASA/act# test aaa-server authentication LDAP_TEST host x.x.x.x username ldap password password
INFO: Attempting Authentication test to IP address <x.x.x.x> (timeout: 12 seconds)
INFO: Authentication Successful
ASA/act#
Now, my understanding is that the ASA only supports PAP (clear text) as Authentication method when communicating to an LDAP server....while on the Controller, I am using EAP-FAST....so my understanding would be that only EAP-FAST/GTC or EAP-FAST/MSCHAPv2 (IF the LDAP server is setup to return a clear text password) are supported.
On the Controller, I am using the very same settings as I have used on the ASA (for the LDAP server configuration). However, users are still unable to Authenticate....they Associate, but do not Authenticate. The clients are all Windows 7 and are setup to use the in-built Cisco EAP-FAST as Authentication method. We are not using certificates.
The thing is that I'm pretty sure that both the Windows 7 clients and the Controller are setup correctly but, as I said, the clients are still unable to authenticate.
I guess that my questions are these:
- on the client side, you can setup the laptops to use "Any method" as authentication method...but how does this exactly work? do they try both EAP-GTC and EAP-MSCHAPv2 (i.e. if it can't authenticate through EAP-GTC will then try EAP-MSCHAPv2?)
- is it better to hardcode the clients to use EAP-GTC or EAP-MSCHAPv2 (instead of default "Any method")....when working on an LDAP environment
- how can I check that the MS 2008 server is indeed setup to "return a clear text password" if using EAP-FAST/MSCHAPv2 (and I do realize that this is probably a question for a Microsoft forum)
- how can I check the the LDAP server is configured to support EAP-GTC and/or EAP-MSCHAPv2??
Thanks again.This is not an acceptable answer. Steve, do you work for Cisco, or are you commenting on personal experience & knowledge?
I have had a working RADIUS configuration for 2 years+ of an ASA 5510 for authentication of AnyConnect SSL & IPSEC VPN clients with AD, and a WLC 2106 for authentication of WPA2-Enterprise w/802.1x certificates with AD. Both were configured to communication to the same RADIUS server that is a Windows Server 2003 DC with IAS/RADIUS and a CA installed. During the planning for installing a new Windows Server 2008 R2 DC, I decided to attempt to remove my reliance on RADIUS since authenticating directly with LDAP is becoming more common. I was successfully able to configure our ASA to do direct LDAP queries to AD, but similar to "superduperlopez" and "rschwenderman", I have been unable to configure the WLC the same way.
I feel like the following line in Cisco's documentation is unsatisfactory: "For example, Microsoft Active Directory is not supported because it does not return a clear-text password."
I would take this to mean that the ASA is working correctly due to either:
A) The ASA is accepting clear-text passwords from AD, and AD is configured to pass clear-text passwords, or
B) The ASA is not accepting clear-text passwords from AD, and AD is not configured to pass clear-text passwords
Now this would lead me to the following:
A) Cisco has not properly updated the WLC documentation to instruct users how to correctly configured the WLC to do backend LDAP queries, or
B) Cisco has not implemented the technology changes that were made in the ASA to the WLC
This frustrates the average network admin, as it is seen by us as "If the ASA can do it, why can't the WLC". Also, don't get this confused with any "client" issues, as all that is being asked for is the WLC to using a different backend "authentication" server while not modifying the client side at all. The concept of "Local EAP" seems to fit, but doesn't work.
I would really appreciate someone giving some insight on this topic, as there are three customers on this forum post that have had the same problem withing the last 2 months.
The previous posters, and myself, are not looking for someone to retype the documentation, but rather explain how it is working on one of Cisco's security products, but not the other. -
TN3270 Plugin / ASA SSL Portal
Hi Guys, I'm working on the ssl portal of my company and we need to have an 3270 emulator available in it, Do you know if there is a tn3270 plugin for cisco asa ssl portal? or is there a workaround to make it work?
Thanks in advance,
Regards
OscarHello,
Regarding the plugin, Nop.. There are no that much available plug-ins.
So you have to other options:
1- Smart tunnel ( You do not need to have administrative rights over the remote system, you only need to have the application locally installed)
2- Port-forwarding ( You do need to have administrative rights over the remote system and have the application locally installed)
If those does not fit your expectations I will go for a tunnel all vpn ( Anyconnect or Ipsec remote access)
Hope I could help.
Julio
Do rate all the helpful posts -
Setting up IPsec VPNs to use with Cisco Anyconnect
So I've been having trouble setting up vpns on our ASA 5510. I would like to use IPsec VPNs so that we don't have to worry about licensing issues, but from what I've read you can do this with and still use Cisco Anyconnect. My knowledge on how to set up VPNs especially in iOS verion 8.4 is limited so I've been using a combination of command line and ASDM.
I'm finally able to connect from a remote location but once I connect, nothing else works. From what I've read, you can use IPsec for client-to-lan connections. I've been using a preshared key for this. Documentation is limited on what should happen after you connect? Shouldn't I be able to access computers that are local to the vpn connection? I'm trying to set this up from work. If I VPN from home, shouldn't I be able to access all resources at work? I think because I've used the command line as well as ASDM I've confused some of the configuration. Plus I think some of the default policies are confusing me too. So I probably need a lot of help. Below is my current configuration with IP address altered and stuff that is completely non-related to vpns removed.
NOTE: We are still testing this ASA and it isn't in production.
Any help you can give me is much appreciated.
ASA Version 8.4(2)
hostname ASA
domain-name domain.com
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1
nameif outside
security-level 0
ip address 50.1.1.225 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa842-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
same-security-traffic permit intra-interface
object network NETWORK_OBJ_192.168.0.224_27
subnet 192.168.0.224 255.255.255.224
object-group service VPN
service-object esp
service-object tcp destination eq ssh
service-object tcp destination eq https
service-object udp destination eq 443
service-object udp destination eq isakmp
access-list ips extended permit ip any any
ip local pool VPNPool 192.168.0.225-192.168.0.250 mask 255.255.255.0
no failover
failover timeout -1
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.0.224_27 NETWORK_OBJ_192.168.0.224_27 no-proxy-arp route-lookup
object network LAN
nat (inside,outside) dynamic interface
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.250 1
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate d2c18c4e
308201f3 3082015c a0030201 020204d2 c18c4e30 0d06092a 864886f7 0d010105
0500303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d301e 170d3131 31303036 31393133 31365a17 0d323131 30303331 39313331
365a303e 3110300e 06035504 03130741 53413535 3130312a 30280609 2a864886
f70d0109 02161b41 53413535 31302e64 69676974 616c6578 7472656d 65732e63
6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100b2
8acbe1f4 5aa19dc5 d3379bf0 f0e1177d 79b2b7cf cc6b4623 d1d97d4c 53c9643b
37f32caf b13b5205 d24457f2 b5d674cb 399f86d0 e6c3335f 031d54f4 d6ca246c
234b32b2 b3ad2bf6 e3f824c0 95bada06 f5173ad2 329c28f8 20daaccf 04c51782
3ca319d0 d5d415ca 36a9eaff f9a7cf9c f7d5e6cc 5f7a3412 98e71de8 37150f02
03010001 300d0609 2a864886 f70d0101 05050003 8181009d d2d4228d 381112a1
cfd05ec1 0f51a828 0748172e 3ff7b480 26c197f5 fd07dd49 01cd9db6 9152c4dc
18d0f452 50f5d0f5 4a8279c4 4c1505f9 f5e691cc 59173dd1 7b86de4f 4e804ac6
beb342d1 f2db1d1f 878bb086 981536cf f4094dbf 36c5371f e1a0db0a 75685bef
af72e31f a1c4a892 d0acc618 888b53d1 9b888669 70e398
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 10
console timeout 0
management-access inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles VPN disk0:/devpn.xml
anyconnect enable
tunnel-group-list enable
group-policy VPN internal
group-policy VPN attributes
wins-server value 50.1.1.17 50.1.1.18
dns-server value 50.1.1.17 50.1.1.18
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value digitalextremes.com
webvpn
anyconnect profiles value VPN type user
always-on-vpn profile-setting
username administrator password xxxxxxxxx encrypted privilege 15
username VPN1 password xxxxxxxxx encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool (inside) VPNPool
address-pool VPNPool
authorization-server-group LOCAL
default-group-policy VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
tunnel-group VPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
class-map ips
match access-list ips
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
class ips
ips inline fail-open
class class-default
user-statistics accountingHi Marvin, thanks for the quick reply.
It appears that we don't have Anyconnect Essentials.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5510 Security Plus license.
So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license? -
Anyconnect VPN via IPSec - Certificate issue
Hi,
I'm currently setting up a VPN-firewall and ran into problems with the certificates. I only want to enable IPSec connections via Anyconnect to the firewall. The client and the profile will be rolled out manually, so there is no need for anything web-based (portal, web-installer, SSL, etc.).
The VPN-firewall is reached through the normal outside-firewall (NAT) via FQDN (vpn.abc.com).
The normal setup is finished, but I have problems regarding the certificate. First I generated a CSR with "cn=fw001.abc.com", installed, bound to interface - but when I try to connect, I get the certificate error ("cert doesn't match server name" and "ca not trusted"). Then I tried a new CSR with "cn=vpn.abc.com", but it's still the same. Tomorrow I will try to get the CA-certificate to get rid of the "ca not trusted" message, but this one with the server name will still remain.
I mean, the connection works, but it's this popup-window with the certificate warning that bothers me.
I already had a similar configuration on another site, but there I had a wildcard certificate (*.xyz.com), which I installed as identity certificate and it worked properly.
Questions:
1.) Does anybody know what could be the issue here?
2.) Do I need a certificate on the outside firewall?
Thanks in advance!Thanks for the response.
First of all I need to state once again that I get 2 warnings:
1.) Certificate does not match the server name.
2.) Certificate is from an untrusted source.
I know the procedure regarding certificates, I generated a request and got the proper signed licence, but the issue is the "server name not matching"-message. I created the CSR with the CN=vpn.abc.com, and got it signed with this CN. In the connection profile, the tunnel destination is also set to the domain and not the IP:
"<HostAddress>vpn.abc.com</HostAddress>"
But nevertheless, I get the message that the certificate doesn't match the server name.
I'm aware that the CA must be trusted on the PC, but this explains only the second message (untrusted) and not the mismatching name.
Like I said I also tried it with CN=hostname.abc.com and sent the CSR to the signing, but it was the same issue. What name must I use so that the first message isn't showing up? -
Edit Anyconnect IPSEC Client text
Hi
I am trying to edit the text in the any connect client for new and existing users of the client who make IPSEC connections to my ASA.
I have followed the following cisco document:-
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac11customize.html
I want to edit the text in the box which prompts you for group, username and password having clicked connect following the applications launch. I want Password: to change to Token Number:
Following the above document I have edited the template in
Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > GUI Text and Messages
I changed the following by adding an entry in the quotation marks for msgstr
#: 0300000000000000e4fe180003000000
#: 0300000000000000e4fe180003000000
msgid "Password:"
msgstr "Token Number:"
Following saving the changes on the ASA I have uninstalled the IPSEC Any Connect client on my client machine and reinstalled it. The change is not recognised in the reinstalled client and I presume this is because the information isn't pulled down from the ASA each time a new connection is established.
Any help would be great
thanksCan anyone offer any advice as to how to change the text in the any connect login box?
Maybe you are looking for
-
my 5th generation 60 GB iPod shows 6 GB tied up on its hard drive with "Other" material. i've got 31.02 GBs of music and less than a GB of photographs (1 each) loaded. no videos, etc. how can i determine what's tying up my iPod's memory? i do not hav
-
Javascript Different in CS3 vs. CSX?
Hi, is JavaScript different for acrobat verison CS3 Version 8 vs. X PRO - version 10? I use online forms that users submit for clearance access. I have been using Acrobat verison CS3, version 8, however, I recently updated to Acrobat X Pro and the
-
I am getting this 'Unknown error -2147352571' on property import from excel. I have a previous test sequence which operated correctly, and took the import excel file and edited for my new sequence as it shares a lot of constants & equations. I have
-
Xcode Mac OS X 10.7.5 doesn't compile file with math header
Hello! I've written a simple program (just at the beginning of my programming path). A few people have tested it on their machines, and it works: their Xcode compiles the program. My Xcode does not. Here is the program. #include <math.h> #include <st
-
Cramming for solving a java problem
I got a problem , my java code is reffering a class method of a jar file (which comes along with installation). But while debugging I found that it could not found that method so it is throwing the following exception java.lang.UnsatisfiedLinkError: