Anyconnect and IPSec on ASA5505

Similar Messages

• Samsung Tab 10.1 WiFi Balck 2014 Edition - Anyconnect and IPSec don't work

  I have an employee with a Samsung Tab 10.1 2014  black wifi only edition tablet. She has tried to use both an IPsec connection and the Anyconnect for ICS+ (and the Anyconnect normal Android client and also the OpenConnect open source alternative to Anyconnect).
  The problematic behavior is the same on any VPN connection. The vpn client connects and then no traffic makes use of it. I can see the VPN session on the firewall and it shows no decrypted/decapsulated packets. Additionally, the tablet loses all internet access once the VPN connects (whether it is IPsec or Anyconnect) even though the VPN is set to use split tunneling (and I can see in the connection details that it is only set to tunnel a couple of /24 networks in the 10.x.x.x range).
  I have at least 20 other users that use the same VPN session groups with a variety of Windows, iOS and Android devices and so far, this Samsung tablet is the only problem.
  I have tried different accounts on this tablet and I have tried this employee's account on other devices and the problem remains only on the tablet. Her account works great logging in on my Samsung Galaxy S4 using both IPsec and Anyconnect client software. My account shows the same problem as her account when used on her tablet.
  I have applied all available updates on her tablet, it is currently running Android 4.4.2 and there are no updates available from Samsung for it.
  My phone is running 4.4.4 but the client app versions are the same on both devices.
  She has even exchanged the tablet for a replacement of the same model.
  Can anyone suggest any additional troubleshooting or cause for this problem?
  Basically it is as if the vpn client software works fine but the Android operating system simply ignores it except to stop all internet access.

  The warranty entitles you to complimentary phone support.
  If you bought the product in the U.S. directly from Apple (not from a reseller), you have 14 days from the date of delivery in which to exchange or return it for a refund. In other countries, the return policy may be different. If you bought from a reseller, its return policy applies.

• Can AnyConnect & Cisco IPsec co-exist on client pc?

  Hi- a home user has to connect to one
  business using AnyConnect and to us using Cisco IPsec client.
  When installing AnyConnect, it wiped out the IPSec client. Can they co-exist on his pc and function side by side?
  I'm sure they can't be used simultaneously, but can't both clients be installed for very different connections?
  He's running 32-bit xp.
  Thanks.

  Kathy
  I am surprised that installation of AnyConnect removed the traditional IPSec client. I have not had that experience. I have several PCs running Windows XP SP3 which have both AnyConnect and IPSec clients installed. Either client works just fine (but not both at the same time).
  HTH
  Rick

• IKEv2 AnyConnect and Pool allocation via RADIUS

  I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
  e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
  home                    Cleartext-Password := "cisco"
                               Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
                               Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
                                Framed-Pool = "CUST-A-POOL"
  matt@home               Cleartext-Password := "test123"
  Group and user authorization information is then merged and cloned onto the virtual template:
  crypto ikev2 name-mangler EXTRACT-GROUP
  eap suffix delimiter @
  crypto ikev2 profile FlexVPN-IKEv2-Profile-1
  match fvrf IPSEC-FVRF
  match identity remote key-id FlexAnyConnect
  identity local dn
  authentication remote eap query-identity
  authentication local rsa-sig
  pki trustpoint cacert.org
  dpd 60 2 on-demand
  aaa authentication eap FlexVPN-AuthC-List1
  aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
  aaa authorization user eap cached
  virtual-template 1
  interface Virtual-Template1 type tunnel
  no ip address
  tunnel mode ipsec ipv4
  tunnel vrf IPSEC-FVRF
  tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
  However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
  *Aug 16 21:36:39.384 BST: RADIUS:  Framed-IP-Pool      [88]  13  "CUST-A-POOL"
  However, the crypto debugs state that an IP address cannot be assigned:
  *Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
  <snip>
  Payload contents:
  AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
  If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
  Cheers,
  Matt

  Marcin,
  Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
  As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
  Cheers,
  Matt

• AnyConnect and Pre-Shared Keys

  Hello,
  I am extremely new to AnyConnect and VPN, so I have a few questions for you guys. I am trying to configure an AnyConnect Client on Android to connect to my ASA 5505 via IPSEC. It's configured with (I believe) IKEv1 with pre-shared key and group identifier. I think IKEv2 is certificate based only, and I am not using certificates at this time. I can't seem to find any settings in the app to configure it this way... Can the AnyConnect client connect to this type of connection? If so, what may I be missing? I can configure the default VPN client built into Android and it works fine, but I am being told to use the AnyConnect client. If you need more info, let me know, I'm not sure what to put on here to give the info needed to help. Thanks!

  Believe I found my answer:
  Cisco AnyConnect VPN
  Q. I see that the Cisco AnyConnect Secure Mobility Client supports IPsec. Will Cisco AnyConnect Secure Mobility Client work with Cisco VPN 3000 Series concentrators?
  A. No. Cisco VPN 3000 Series concentrators support IPsec/IKEv1. Cisco AnyConnect Secure Mobility Client Version 3.0 and greater supports IPsec/IKEv2 connectivity but not IPsec/IKEv1.
  From http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/qa_c67-712937_ns1049_Networking_Solutions_Q_and_A.html
  If there is a workaround or something, please let me know. If not, oh well!

• Anyconnect and win7 binding order

  I have an issue where an application will not synchronize correctly when routin through anyconnect vpn.  have investigated and discovered that this is because The anyconnect client will move itself to top of binding order when it is reconnected.  This is after moving it to bottom in windows.  is there a way to have the anyconnect client not move itself to the top of the binding order on connection, but honor the windows setting. 

  This appears to be a Windows 7 "Feature" where the latest network interface to make a connection is moved to the top of the binding order, as Windows assumes it has better information than the previous connection.  Otherwise why would you have connected in the first place right? 
  We are having a similar issue with a client who has an application which when run binds to the NIC highest in the binding order and then uses that MAC address for licensing.
  Since the app is only run by 3 devices, we are issuing PCF files and Ipsec VPN for those users as the IPsec VPN falls into windows "VPN Client Adapters" pool of nics on the binding order, and doesn't change when it connects or disconnects.
  I can see why Cisco wanted Anyconnect outside that pool, so it would have a higher level of control over the PC and prevent the user from bypassing security by using a higher bound nic card if you deployed the BYOD / Mobility Solution.
  There is a setting on the ASA to allow you to run a script on connect, under the anyconnect customization / script in ASDM.  Looks like a windows script file might allow you to make a change to this binding order, only issue with that is that we would have to know the UID or whatever for the device in order to create the registry key change for each user, and if they connect form another device we might well break that device by making registry changes to it.
  Any comment from Cisco Employee's or Anyconnect Dev / Support team would be appreciated.

• SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

  Hello,
  i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
  Cisco 1802 Router:
  Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
  First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
  then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
  and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
  after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
  no aaa authentication list default
  authentication certificate
  ca trustpoint CA
  as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
  as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
  any ideas what the problem could be???
  here is the configuration:
  webvpn gateway WEBVPN_GW_OFFICE2
  ip interface Dialer0 port 1444
  ssl trustpoint CA
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
  webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
  webvpn context WEBVPN_CONTEXT2
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  policy group WEBVPN_POLICY2
     functions svc-enabled
     mask-urls
     svc address-pool "SSLVPN_OFFICE1"
     svc default-domain "domain.internal"
     svc keep-client-installed
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.53.33
     svc dns-server secondary 192.168.53.35
  virtual-template 3
  default-group-policy WEBVPN_POLICY2
  gateway WEBVPN_GW_OFFICE2
  authentication certificate
  ca trustpoint CA
  inservice
  here is the debug:
  OfficeRouter1# PASSING appctx is [0x89FAFFCC]
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:39:53.607: WV: http request: / with no cookie
  Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:39:53.607: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:39:53.607: WV: Trustpoint match successful
  Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
  Nov 19 22:39:53.607: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
  Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  BueroRouter1# PASSING appctx is [0x89FAEEC4]
  Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:40:24.132: WV: http request: / with no cookie
  Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:40:24.132: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:24.132: WV: Trustpoint match successful
  Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
  Nov 19 22:40:24.132: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
  Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
  Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
        offset: 0, domain: 0)
  Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
  Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
  Nov 19 22:40:39.892: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:39.892: WV: Trustpoint match successful
  Nov 19 22:40:39.892: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
  Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
  HI,
  Refer to
  AnyConnect VPN Client FAQ
  Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
  A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

• How to verify encryption (isakmp and ipsec) on VPN

  Our customer believes the only way to verify data is being encrypted properly is to tap the fiber connections between our routers (encryptors). They are afraid that data might traverse the network that hasnt been encrypted.
  I contend that using cisco show commands such as crypto session, crypto isakmp sa, and crypto ipsec sa validate VPN is setup correctly and providing data encryption.
  Does anyone else have this scenario and any suggestions would be greatly appreciated on validating encryption.
  Thank you.
  Antonio

  Hi Antonio,
  you can use the following sh commands on asa to check the isakmp and ipsec details and encrypted networks
  sh cry isa sa det
  sh cry ipsec sa det
  sh vpn-sessiondb det l2l
  sh cry ipsec sa det peer
  please refer the following link for router and asa commands
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
  once you know the packets are getting encrypted on the device you can run a capture on the outside interface of the VPN  terminating decice and use wire shark to open the capture to do further analysis for encryption on the captured paccket.
  refer the following doc to capture the packcet on FW
  https://supportforums.cisco.com/docs/DOC-17345
  Thanks and Regards,
          ROHAN 

• Force client cert only for anyconnect and not for ssl-clientless?

  I need to configure different authentication for anyconnect clients and clients logging in using the ssl portal in the browser.
  I want both AAA and certificate for anyconnect but i want ONLY aaa for the ssl portal (clientless)
  I tried using two tunnel groups with different authentication settings but i need the same alias available for both clientless and anyconnect and when i tried that it said i cant have two with the same alias.

  Did you ever get an answer to this question?
  It seems you should be able to set up a two different client profiles.  Under Authentication, ssl-client would would specify "Both" and the sslclientless would specify AAA.  You would likely have to duplicate much of the other work but the requirement would be satisfied.

• Server | communications | ike and ipsec settings

  Hi
  How important are the settings in monitor regarding Ike and ipsec? I was
  having 3rd party site to site issues and started to modify these to try
  and resolve issues. It did not seem to help and I am thinking I should
  set them back. is there a way to reset them to defaults?
  Thanks,
  Will

  oops I do know.
  Would any of these cause an issue?
  The number on the left shows current the right shows previous.
  I am also getting a lot of ike abends. Not sure if that is related.
  IKE AUTHMETHOD 0 1
  IKE PFS 1 0
  IKE lifetime 7200 300
  ipsec hash alg for pss 1 2
  ipsec encr alg for pss 2 3
  IPSec encap mode 2 1
  SA lifetime 7200 1000
  And IPSec SA 1 0
  ESP Algorithm ID 0 2
  AH Algorithm ID 0 2
  Thanks,
  Craig Johnson wrote:
  > Do you remember which ones you changed?
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  >
  >

• Can a Cisco 2600 router do PPTP,L2TP, and IPSec?

  General question.

  2600 supports L2TP and PPTP with MPPE with an IP PLUS version, and IPsec with a firewall version.

• ISA 2006 publish Exchange 2010 Outlook Anywhere with KCD/NTLM and IPSEC - Problem

  Hi
  I have setup ISA 2006 to publish Exchange 2010 Outlook Anywhere with Kerberos Constrained Delegation and IPSEC.
  The clients have an IPSEC policy pushed to them via GPO.  The clients are windows 7 laptops and the ISA server is server 2003, so the IPSEC connection is IKE not AuthIP.
  However, it seems that the connection will work for a while, then all of a sudden stop working with zero trace of why.  I cant get the Oakley log to work and I cant see any traffic on the ISA.
  I am wondering if I need to publish the CRL's externally?  Currently we don't, and the Outlook Anywhere uses private certificates (as the whole point of IPSEC is to validate the internal certificate, there is no point in using
  public certificates).
  I have tried using the StrongCRLCheck=0 registry key in the IPsec Policy Agent on the windows 7 machine but it doesn't seem to make a difference.
  Any advice would be appreciated.
  Steven

  Hi,
  Firstly, have you received any related error messages in ISA server or on the clients' side? Besides, as you mentioned IPsec, did you have a VPN connection?
  In addition,
  While ISA 2006 only includes a Client Access Web Publishing Wizard for both Exchange 2003 and Exchange 2007. Which Exchange version you have chosen when publishing Exchange 2010?
  Please also make sure that you have selected the
  External interface for the web listener to listen on.
  Besides, the link below would be helpful to you:
  OWA publishing using Kerberos Constrained Delegation
  method for authentication delegation
  Best regards,
  Susie

• DLSw and IPSEC

  Can anybody tell me if you can have a DLSw+ peer and IPSEC tunnel on the same router? We want to utilize DLSw+ on a branch router and use IPSEC across the WAN back to the corporate office?
  Has anybody configured this before?
  Any lessons learned?
  Recomendations?
  Thanks!

  Hi David,
  Yes, multiple customers have deployed this, and it has been tested and measured in specific customer proof of concept labs. The only issue that I'm aware of is that the MTU size requirements are affected by encryption, so be sure to take that into account.
  http://www.cisco.com/en/US/tech/tk331/tk336/technologies_tech_note09186a00801d3a9d.shtml
  In terms of performance, everyone's traffic is somewhat different, so it's impossible to say for sure. From what I remember of the proof of concept tests, 2600 routers did DLSw+ and software encryption just fine at DS0 rates.
  Rgds, Dan

• Using Crypto Maps and IPsec Static VTI's on the same router

  Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?

  Yes you can and as far as I know I dont think there is a hardware dependency.
  VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.
  If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!
  Here is a rough example (fine tune it as needed):
  crypto keyring key1
    pre-shared-key address 1.1.1.1 key test123
  crypto keyring key2
    pre-shared-key address 7.7.7.7 key test777
  crypto isakmp profile vpn1
     keyring key1
     match identity address 1.1.1.1 255.255.255.255
  crypto isakmp profile vpn2
     keyring key2
     match identity address 7.7.7.7 255.255.255.255
  crypto ipsec transform-set test esp-des esp-sha-hmac
  crypto IPsec profile vpn-tunnel
  set transform-set test
  set isakmp-profile vpn1
  crypto map mymap 1 ipsec-isakmp
  set transform-set test
  set peer 7.7.7.7
  set isakmp-profile vpn2
  match address 177
  interface Tunnel0
  ip address 10.0.51.217 255.255.255.0
  tunnel source 2.2.2.2
  tunnel destination 1.1.1.1
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vpn-tunnel
  interface Ethernet4
  ip add 2.2.2.2 255.255.255.0
  crypto map mymap
  Regards,
  Uwe

• Windows 8 and IPSec VPN issues

  I have a number of customers that leverage the Cisco IPSec VPN. I can connect to the VPN without any problems but when I attempt to RDP, that fails. I have no RDP or ping or anything. Here are some more symptoms of the issues that I find odd:
  Anyconnect works just fine
  Fortinet VPN clients work fine
  Sonicwall VPN clients work fine
  Cisco IPSec VPN client is the only one affected
  Cisco IPSec VPN client worked fine for months then just decided it was no longer going to allow RDP or ping
  I have duplicated this issue on a half dozen or so laptops
  This is on a Windows 8 laptop but I believe I have also experienced this on Windows 7
  Just to clarify, the IPSec VPN does succesfully connect. But nothing else works after that. I do understand that AnyConnect is the direction that Cisco would like for people to move towards. Unfortunately, I have quite a few customers that are leveraging the IPSec VPN. I have been through a number of laptops in the last year and every single laptop had a working Cisco IPSec VPN for months....then one day it would just stop passing RDP.
  Please somebody tell me that there is a workaround for this. I have played with the IP settings for the Cisco Systems virtual adapter in my network and sharing center. I've modified the binding order. I've compared a routeprint from a working laptop to mine....I'm not sure what else to do. I've uninstalled ALL VPN software and only reinstalled the Cisco VPN. So far the ONLY fix I have found is a clean install of Windows and that solution sucks.

  Doing a little more homework on this and I noticed that the tunnel details show no bytes sent or recieved and no packets encrypted, decrypted, or discarded....everything is bypassed.  My coworker (who is on Windows 7) is able to launch this VPN and connect to the customer's servers without issues and the tunnel details show all of the appropriate data.