Anyconnect Connections

Can someone please tell me the command that will show anyconnect connections on an ASA 5510 running version 8.4. Also, i would like to know the command to clear the connections in CLI?
Any help will be greatly appreciated.
Thanks,
Lake

show vpn-sessiondb anyconnect
show vpn-sessiondb detail anyconnect
vpn-sessiondb logoff ...

Similar Messages

Cisco AnyConnect connection problem over WiFi

Hi guys,
I'm having some problem with Cisco AnyConnect connections.
hardware: ASA 5515-x with AnyConnect Essentials.
software: ASA Software Version 9.1(2)8
anyconnect-win-3.1.05187-k9.pk
Internet Explorer 11 on computers
Problem:
Can't connect with the AnyConnect WebLaunch on WiFi.
it's stucked for about 20sec at "Please wait while the VPN connections is established"
Then we get this error message "The IPsec VPN connection was terminated due to an atuchentication failure or timeout...."
If I click Connect in the AnyConnect Client it connects and I login with my credentials without any problem.
First thought was that my test-computer was the problem, but have tried with 3 different PCs with different hardware.
If i plugg in a network cable it works perfect with the WebLaunch.
Has anyone experience the same problem and have a solution?
Thanks in advance!
br
Robin
Update:
I still go the problem, I've updated our FW to ASA9.2(2.4).
Anyone have a clue? It works good on two of our ASA5505.

The Windows Vista PC that were having problem connecting via AnyConnect, were they an upgrade from Windows XP? If they are, and they have AnyConnect installed prior, it needs to be uninstall prior to upgrading to Windows Vista as per the AnyConnect release notes:
http://www.cisco.com/en/US/partner/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html
Also, you might want to double check that the Vista is either with SP2 or Vista SP 1 with KB952876.

Securing multiple AnyConnect connection profiles

Hello,
Here is our scenario. We have three (3) separate AnyConnect connection profiles each with different levels of access enforced through ACL filters. We have aliases configured for each connection profile in order for each group member to be able to choose his group when logging in to AnyConnect. Authentication is done via LDAP to one single server/domain instance on which all users have accounts. Given our scenario and without using multi factor authentication, is there any way to keep a user from logging in to a connection profile in the AnyConnect client which he shouldn't have access to?
Thanks,
-Mike

Dear Marvin,
I have a similar situation where i have diferent connection profile and group policies where i apply acl where each profile
has access to different resources.
My question would be. Is there any possibility to allow only specific real IP addresses to initiate VPN session to the firewall.
regards
Nehat

FIPS. Can you configure a FIPS compliant ASA to reject any non-FIPS Anyconnect connections

Hi guy's, is there any way to automagically refuse any Anyconnect connections to a FIPS compliant ASA if the Anyconnect client is non-FIPS compliant?
Any help, thoughts or ideas are greatly appreciated as I can't seem to find anything to suggest you can.
Kind regards
Paul.

You enable FIPS compliance for the core AnyConnect Security Mobility Client in the local policy file on the user computer. This file is an XML file containing security settings, and is not deployed by the ASA. The file must be installed manually or deployed to a user computer using an enterprise software deployment system. You must purchase a FIPS license for the ASA the client connects to.
AnyConnect Local Policy parameters reside in the XML file AnyConnectLocalPolicy.xml. This file is not deployed by the ASA. You must deploy this file using corporate software deployment systems or change the file manually on a user computer.
You can get more information from following link:-
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html#wp1028083
HTH!!
Regards,
Naresh

AnyConnect - connection profiles issue

Hello,
I've configured AnyConnect SSL VPN for two connections profiles which can be chosen when I try to establish connection. Following aliases has been configured for those con profiles:
* Con1
* Con2
the problem is that every time when I try to select the second one (Con2) from the group list it utomatically returns to the first one (con1). Generaly I am not able to choose Con2. It looks like the Con1 is the default and I can connect using only this profile. I've checked the preferences.xml and preferences_global.xml files and the default group is not configured. What is more when I change the aliases name for those connection profiles to:
* 1Con2
* Con1
I can choose only 1Con2 so it seems that only the first con prof on the list can be used. Any ideas?

Hi Marek,
look for old cached connection profiles here:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac02asaconfig.html#wp1431357
Something similar happend to me when I changed the profile name on the server and reconnected. The client found the old profile with the same server address and switched to the old profile although I had provided a new profile on the VPN server.
Just clear all profiles from the specified locations and connect to the server once again. Anyconnect will establish a connection and download the new profile. You should only see the new connection profile offered in the drop down box after that.
If you want to provide two different protocols (SSL and IPsec) for the same server you configure only one profile with two entries in the server list, one with SSL, the other IPsec as a preferred protocol.
In that case you will have a single profile but two choices in the drop down box on the Anyconnect client.
Regards,
MiKa

Anyconnect connection issue

Hello,
Have a really strange issue.
After the first install ( Pre-Deploy ) of Anyconnect, entering domain name in "Connect" field, and pressing "Connect" - it connects without issues.
Then I press Disconnect and try to connect again - it complains that it can not connect and I should contact my ISP or aks me to Authenticae via Web.
If I change domain name in "Connection" fielt to one that does not exists and press Connect - it complains about same thing - that I should contact my ISP or Authenticate via Web.
Pressing again - it says that it can not resolve domain name. Then typing/choosing the domain name to which I connect after install - and it connects without issues.
Seems to have to do with some kind of caching.
is this is a normal behaviour ?
Anyconnect version: 3.1
Cisco ASA 5520, OS Version: 8.4
Client Operating SYstem: Windows 7
Thakn you.

Hello,
Seems that the issue was in that I press "Connect" after "Disconnect" too early. If I wait 5-10 seconds, it connects fine.
Thank you.

Anyconnect IPSEC error unauthorized connection mechanism

Hi everyone,
I'm trying to configure Anyconnect connection on my ASA 5505 (ASA 9.1.3, ASDM 7.1.4).
The goal is to have 2 connection, one for IPSEC and the other one for SSL.
SSL connection work fine but IPSEC won't work. When i try to connect i receive error "Login denied, unauthorized connection mechanism"
I can't find what i'm doing wrong. Both configurations have been done with the Anyconnect wizard.
Can you help me please ? I'm new in Cisco world ...
Thx in advance
Here's my config :
ASA Version 9.1(3)
hostname CiscoASA
enable password ***** encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ***** encrypted
names
ip local pool VPN-Pool 10.104.106.1-10.104.106.10 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
interface Vlan1
nameif inside
security-level 100
ip address 10.4.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.4.106.254 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network NETWORK_OBJ_10.104.106.0_28
subnet 10.104.106.0 255.255.255.240
object network NETWORK_OBJ_10.4.6.0_24
subnet 10.4.6.0 255.255.255.0
access-list outside_access_in remark Remote access to Cloudstation
access-list outside_access_in extended permit object Cloudstation object-group Cloudstation-Access object Synology-Cloudstation
access-list Anyconnect standard permit 10.4.6.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging asdm informational
logging from-address [email protected]
logging recipient-address [email protected] level errors
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.4.6.0_24 NETWORK_OBJ_10.4.6.0_24 destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
object network Synology-Cloudstation
nat (inside,outside) static interface service tcp 6690 6690
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint VPN
enrollment self
subject-name CN=*****
keypair VPN
crl configure
crypto ca trustpoint SSH
enrollment self
subject-name CN=10.4.6.254
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=***
keypair SSL
crl configure
crypto ca trustpool policy
crypto ca certificate chain VPN
certificate 8d31a352
quit
crypto ca certificate chain SSH
certificate 8c27bc52
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 730fbe52
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.4.6.0 255.255.255.0 inside
telnet timeout 5
ssh 10.4.6.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
dhcpd address 10.4.6.10-10.4.6.100 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.4.102 source outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable inside
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles IPSEC_client_profile disk0:/IPSEC_client_profile.xml
anyconnect profiles SSL_client_profile disk0:/ssl_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
webvpn
anyconnect ssl compression deflate
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect
default-domain none
webvpn
anyconnect profiles value SSL_client_profile type user
group-policy GroupPolicy_IPSEC internal
group-policy GroupPolicy_IPSEC attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect
default-domain none
webvpn
anyconnect profiles value IPSEC_client_profile type user
username test password ***** encrypted
username test attributes
service-type remote-access
username raphael password ***** encrypted
username admin password gM8SqVAvFPseIv5v encrypted privilege 15
username administrator password ***** encrypted privilege 15
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
group-alias SSL enable
tunnel-group IPSEC type remote-access
tunnel-group IPSEC general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_IPSEC
tunnel-group IPSEC webvpn-attributes
group-alias IPSEC enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 212.68.193.11
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:9d5177ddc09025d07f9d5c1c2f7747e0
: end
CiscoASA#

The inside was actic-vate just for testing purpose.
The config have changed since my first post (but always the same problem with IKEv2.
IKEv1 work fine.
Here's the actual config
ASA Version 9.1(3)
hostname CiscoASA
enable password 14ssn/nefQfQ3kNU encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool VPN-Pool 10.104.106.1-10.104.106.10 mask 255.255.255.0
ip local pool IPSEC-Pool 10.104.106.11-10.104.106.20 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
interface Vlan1
nameif inside
security-level 100
ip address 10.4.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
no forward interface Vlan1
nameif DMZ
security-level 50
ip address 10.4.106.254 255.255.255.0
boot system disk0:/asa913-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup DMZ
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
object network NETWORK_OBJ_10.104.106.0_28
subnet 10.104.106.0 255.255.255.240
object network NETWORK_OBJ_10.4.6.0_24
subnet 10.4.6.0 255.255.255.0
object network Synology-Cloudstation
host 10.4.6.252
description Synology
object service Cloudstation
service tcp destination eq 6690
description Cloudstation
object network Clarenne
fqdn v4 secure.clarenne.be
description External IP Clarenne
object network NAT-Officescan-FR-HTTP
host 10.4.6.246
description 10.4.6.246
object network NAT-Officescan-FR-HTTPS
host 10.4.6.246
description Officescan-FR-HTTPS
object network NAT-Officescan-FR-ListenPort
host 10.4.6.246
description Officescan-FR-ListenPort
object network NAT-Officescan-EN-HTTP
host 10.4.6.247
description Officescan-EN-HTTP
object network NAT-Officescan-EN-HTTPS
host 10.4.6.247
description Officescan-EN-HTTPS
object network NAT-Officescan-EN-ListenPort
host 10.4.6.247
description Officescan-EN-HTTPS
object network VPN-Range
range 10.104.106.1 10.104.106.254
description VPN-Range
object-group network Cloudstation-Access
description Remote access to Cloudstation
network-object object Clarenne
object-group service Officescan-FR tcp
description Officescan-FR
port-object eq 4444
port-object eq 55556
port-object eq 8181
object-group network Officescan-FR-All
network-object object NAT-Officescan-FR-HTTP
network-object object NAT-Officescan-FR-HTTPS
network-object object NAT-Officescan-FR-ListenPort
object-group network Officescan-EN-All
description All ports Officescan EN
network-object object NAT-Officescan-EN-HTTP
network-object object NAT-Officescan-EN-HTTPS
network-object object NAT-Officescan-EN-ListenPort
object-group service Officescan-EN tcp
port-object eq 5353
port-object eq 55555
port-object eq 9090
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in remark Remote access to Cloudstation
access-list outside_access_in extended permit object Cloudstation object-group Cloudstation-Access object Synology-Cloudstation
access-list outside_access_in remark Remote Access to Officescan-FR
access-list outside_access_in extended permit tcp any object-group Officescan-FR-All object-group Officescan-FR
access-list outside_access_in extended permit tcp any object-group Officescan-EN-All object-group Officescan-EN
access-list outside_access_in extended permit ip object VPN-Range any
access-list Anyconnect standard permit 10.4.6.0 255.255.255.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list IKEv1_splitTunnelAcl standard permit 10.4.6.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address *****
logging recipient-address ***** level errors
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.4.6.0_24 NETWORK_OBJ_10.4.6.0_24 destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.104.106.0_28 NETWORK_OBJ_10.104.106.0_28 no-proxy-arp route-lookup
object network Synology-Cloudstation
nat (inside,outside) static interface service tcp 6690 6690
object network NAT-Officescan-FR-HTTP
nat (inside,outside) static interface service tcp 8181 8181
object network NAT-Officescan-FR-HTTPS
nat (inside,outside) static interface service tcp 4444 4444
object network NAT-Officescan-FR-ListenPort
nat (inside,outside) static interface service tcp 55556 55556
object network NAT-Officescan-EN-HTTP
nat (inside,outside) static interface service tcp 9090 9090
object network NAT-Officescan-EN-HTTPS
nat (inside,outside) static interface service tcp 5353 5353
object network NAT-Officescan-EN-ListenPort
nat (inside,outside) static interface service tcp 55555 55555
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint VPN
enrollment self
subject-name CN=*****.rabinformatique.be
keypair VPN
crl configure
crypto ca trustpoint SSH
enrollment self
subject-name CN=10.4.6.254
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=*****.rabinformatique.be
keypair SSL
crl configure
crypto ca trustpool policy
crypto ca certificate chain VPN
certificate 8d31a352
    308201f1 3082015a a0030201 0202048d 31a35230 0d06092a 864886f7 0d010105
    0500303d 31223020 06035504 03131973 65637572 652e7261 62696e66 6f726d61
    74697175 652e6265 31173015 06092a86 4886f70d 01090216 08436973 636f4153
    41301e17 0d313331 32303731 35303431 335a170d 32333132 30353135 30343133
    5a303d31 22302006 03550403 13197365 63757265 2e726162 696e666f 726d6174
    69717565 2e626531 17301506 092a8648 86f70d01 09021608 43697363 6f415341
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00ce369d
    184d8817 fa384f11 f0ea46db 7efe6a2f e14bdb65 673afb9c c881363a 80b4b28e
    65f4331f 009abacc 7e42200a 8115383f e6019b22 841aa048 8d92a0cb 431ca289
    98d7d958 c8b79671 b3603c07 3c9b91d7 a1fbbbe9 1cd8d27c 6d57e051 906c9b23
    8eaa7102 307a8b8d 26ab3807 6e1d92c9 e803eec1 cd0e230d bb703c00 33020301
    0001300d 06092a86 4886f70d 01010505 00038181 003deb05 c11e914d 2f7fc1ff
    a5100c05 61da96e1 4d72cb74 ba8eba85 37eb76af a183649a 79f72cb8 1c5c195d
    8e035cc5 0d4753b6 5b83afdc a1770e9e da0a5319 8e33b626 99ef197b 6254f004
    ca25f3a7 570b0f45 3e51deb2 fc063e21 c7ca0231 c4513483 1c282bbb 74375ba7
    81db0cc0 b87a1612 4095bf7a ba110227 2c3dff64 d6
quit
crypto ca certificate chain SSH
certificate 8c27bc52
    308201d3 3082013c a0030201 0202048c 27bc5230 0d06092a 864886f7 0d010105
    0500302e 31133011 06035504 03130a31 302e342e 362e3235 34311730 1506092a
    864886f7 0d010902 16084369 73636f41 5341301e 170d3133 31323236 32313536
    32345a17 0d323331 32323432 31353632 345a302e 31133011 06035504 03130a31
    302e342e 362e3235 34311730 1506092a 864886f7 0d010902 16084369 73636f41
    53413081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100f4
    7269c080 49f5422a 5af3f82f e3f791ad 9824cf51 90130c89 7dc370b4 8eaf2bd7
    a0a851a0 787b26e9 b3190e3f 2ff49f9a 72b0b57d cd3dc039 5a4fad7c 9fed354c
    cc0adcb8 72e33b11 450e2fe3 1c874d96 45cb11e4 d8c7f837 7eefcaa1 4fb45d4e
    8a6a69fd 42d915cb 22d075e0 74d3606c b5075745 cf88aef0 eeb10912 1ad2af02
    03010001 300d0609 2a864886 f70d0101 05050003 8181003c bd48239a 3c3a729a
    a4c24c6c 27024ff0 4b285c28 b119ba8a e71b3ee4 37b6d302 f8bf415e ce3d0c7b
    fcfef3a6 e294709d fe80fe64 cb060a75 b3daac1e e6c17521 41e970c2 5c0b6543
    0d0c2ebb ae42cc3e 77cd319e a1db6843 7a4fd4d8 ebaa6b17 d2dbb781 fc1e86b9
    18913303 59f9c89b ab747252 d20c2da3 dbe66ad3 eb3575
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 730fbe52
    308201f1 3082015a a0030201 02020473 0fbe5230 0d06092a 864886f7 0d010105
    0500303d 31223020 06035504 03131972 656d6f74 652e7261 62696e66 6f726d61
    74697175 652e6265 31173015 06092a86 4886f70d 01090216 08436973 636f4153
    41301e17 0d313331 32323831 31313033 315a170d 32333132 32363131 31303331
    5a303d31 22302006 03550403 13197265 6d6f7465 2e726162 696e666f 726d6174
    69717565 2e626531 17301506 092a8648 86f70d01 09021608 43697363 6f415341
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a00bac
    1f0fe866 36fef779 2ee99a47 1cf2181e 8b150c08 f19a48df 8ee5d74d 0200934b
    b476cade d90a7a16 647f75ad dfad9c8d 768f9b06 1bc2f2ff 5497caef a8e007f8
    deec9c18 661cabf6 3a8ec645 0179fed5 cdaa9a82 f3f157de cf281333 9bab6fda
    e6cbcfe6 858075c7 7d208d82 957a726e 68b58187 bd90a3cd 0719744c bb020301
    0001300d 06092a86 4886f70d 01010505 00038181 006c94e8 4e8e664a 94d1f0b6
    3fd9a936 264c1cee 301b7cff 4306abf6 0d413982 dfd9b36e 38b90fb7 f8b30114
    1a0f68c4 0b8f578a eb8a52cd 80d19e10 6a943e6c 2ad51b7c 0d900ccd 990b4b3b
    fb636dfc 5746dfc1 d9bde0c9 4db5d553 1c6e5b66 4d0ef8f1 7b30c2d9 51a5cd87
    008376a4 ac7d8075 350b535e 280b1049 86a32c83 a6
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.4.6.0 255.255.255.0 inside
telnet timeout 5
ssh 10.4.6.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8
dhcpd address 10.4.6.10-10.4.6.100 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 132.163.4.102 source outside
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles IPSEC_client_profile disk0:/ipsec_client_profile.xml
anyconnect profiles SSL_client_profile disk0:/ssl_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy IKEv1 internal
group-policy IKEv1 attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IKEv1_splitTunnelAcl
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
webvpn
anyconnect ssl compression deflate
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Anyconnect
default-domain none
webvpn
anyconnect profiles value SSL_client_profile type user
group-policy GroupPolicy_IPSEC internal
group-policy GroupPolicy_IPSEC attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2
default-domain none
webvpn
anyconnect profiles value IPSEC_client_profile type user
username test password N8KSu.GWsyH45xRk encrypted
username test attributes
service-type remote-access
username raphael.abissi password hBmZGE7s0UGfnUxR encrypted
username admin password gM8SqVAvFPseIv5v encrypted privilege 15
username administrator password gM8SqVAvFPseIv5v encrypted privilege 15
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN-Pool
default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
group-alias SSL enable
tunnel-group IPSEC type remote-access
tunnel-group IPSEC general-attributes
address-pool IPSEC-Pool
default-group-policy GroupPolicy_IPSEC
tunnel-group IPSEC webvpn-attributes
group-alias IPSEC enable
tunnel-group IKEv1 type remote-access
tunnel-group IKEv1 general-attributes
address-pool VPN-Pool
default-group-policy IKEv1
tunnel-group IKEv1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 212.68.193.11
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b2c36635f9708193555e7600a0a69d1f
: end
CiscoASA(config)#

Zone Base Forewall for VPN connections does not work after IOS upgrade

Hi all,
We use cisco router 2911 as corporate gateway - there is Zone Based Firewall implemented - I upgraded IOS to last version (15.2(2)T1) - originaly version 15.1(4)M1 - to solve issue with Anyconnect connections (bug CSCtx38806) but I found that after upgrade the VPN users are not able to communicate with sources in other zones.
More specific
WebVPN use this virtual template interface
interface Virtual-Template100
description Template for SSLVPN
ip unnumbered GigabitEthernet0/1.100
zone-member security INSIDE
There are other zones VOICE, LAB, ...
In the policy any connection is allowed (used inspection of icmp, tcp and udp) from INSIDE zone to VOICE or LAB zone
After VPN connection I am able to reach resources in INSIDE zone (which is the most important), but not in other zones. Before upgrade it worked.
Once I changed zone in Virtual-Template interface to VOICE, I was able to reach sources in VOICE zone but not in any other. I searched more and found the stateful firewall is not working for connections from VPN as ping is blocked by policy on returning way - it means by policy VOICE->INSIDE, once I allowed communication from "destination" zone to INSIDE zone - the connections started to work, but of cause it is not something I want to setup.
Does anybody has the same experiance?
Regards
Pavel

It seems to me I should add one importatant note - if client is connected directly in INSIDE zone, he can reach resources in other zones without any issue - so the problem is only when the client is connected by VPN - not in ZBF policy setup.
Pavel

Cisco AnyConnect Secured Mobility Client not saving the VPN url after disconnecting from session/restarting client

Hello there.
I am having a problem with Cisco AnyConnect version 3.1.04072. When one of my colleagues disconnects from the VPN session, closes out the program, and then later on, reopens the client, the address that he manually entered did not save and it's defaulting on the two now-defunct VPN servers listed.
Here's an example to see if it makes more sense:
-User opens Cisco AnyConnect. By default, there are two selections available on the pulldown:
SSLVPN.abcdefg.com
access.abcdefg.ca
These two VPN servers are now defunct and we use a new VPN server:
access.abcdefg.com
The user has to manually type it in. He is now able to connect. However, when disconnected. Regardless if the program is closed or not, it does not save the new VPN server address, rather goes back to the default two VPN servers listed.
I've checked XML, HTML, registry keys, sys files, dll files to see if I can change the default servers manually. No sign of it.
I'm hoping that someone out there knows a solution to fix it.
Thanks in advance!

Hi Vergel ,
You can create Anyconnect client profile on ASA. In this profile , you can define the hostname/IP that you wish to connect , along with hostname/IP that should be displayed on the client.
In the client profile , you can define these parameters - "HostName" and "HostAddress" as "access.abcdefg.com" so that any user , who tries to connects , will see "access.abcdefg.com" as the name displayed in the anyconnect connect field.
On the client, the xml profile (C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile) [Win 7] can be seen using those parameters as follows:-
        <HostEntry>
           <HostName>access.abcdefg.com</HostName>
           <HostAddress>access.abcdefg.com</HostAddress>
       </HostEntry>
Ref:- http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac03vpn.html#89103
Additionally, you can try to delete preferences.xml file to remove the redundant hostnames from the anyconnect connect filed.
Path for preferences.xml is C:\Users\Cisco\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client (Win 7),
Hope this helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.

How to make sequence of auth. methofs for Anyconnect 3.0

Hi
i was able to run the authentication based on the User certificate issued by the Windows AD
However in the Anyconnect connection profile I can choose between AAA or Certificate ( or both )
However some of our workstations or mobile devces doesn't have he User certificate, so they are not able to connect via AAA
Is it possible to create the auth. sequence in the way, that if the certificate auth failed ( because certificate is missing on the device ), then other method will be used AAA ?
Thanks
pet

Hi
i was able to run the authentication based on the User certificate issued by the Windows AD
However in the Anyconnect connection profile I can choose between AAA or Certificate ( or both )
However some of our workstations or mobile devces doesn't have he User certificate, so they are not able to connect via AAA
Is it possible to create the auth. sequence in the way, that if the certificate auth failed ( because certificate is missing on the device ), then other method will be used AAA ?
Thanks
pet

Different auth methods for Clientless & AnyConnect?

The goal: To allow Clientless(portal) connections with only username/password authentication (LDAP in this case) while requiring two-factor (LDAP & Certificate) authentication for AnyConnect connections.
The config: Since the auth methods are configured within connection profiles/tunnel groups, I am using two different profiles, one requiring only LDAP auth for use with clientless and one requiring both LDAP and client certificate authentication for AnyConnect. I have not enabled the option to allow users to choose their connection profile.
The only way I have been able to get the AnyConnect client to use anything other than the "DefaultWEBVPNGroup" profile was to use a URL mapping for the AnyConnect tunnel group, a custom AnyConnect client profile (to specify the custom URL), and a DAP policy to deny AnyConnect connections on the "DefaultWEBVPNGroup" tunnel group.
Resulting behavior: Web portal requires only username and password. Stand-alone AnyConnect connections require username/password & client certificate.
The problem: Weblaunch (launching AnyConnect from the portal) installs the client, but throws an error and disconnects (see attached). Subsequent stand-alone AnyConnect connection attempts work fine.
I assume this issue is related to the different tunnel groups using different authentication methods. If I disable the DAP policy, weblaunch works without erros, but it connects without requiring two-factor authentication.
Does anyone know if what I am trying to do is possible and/or supported? I am open to alternative suggestions as well.
Thanks,
Aaron

Sounds like you are 95% of the way there. You can definitely get this to work. Based on your description of the problem when trying to web launch AnyConnect, it sounds like you are not matching the correct tunnel group. As you stated, when using more specific connection profiles, you need to give users a means to identify which TG they want to connect to. This is typically achieved via a drop down selection box, group URL, or certificate attribute map. In your case, it sounds like you are using group URLs. With this approach, you will have two more specific URLs for your users to access. For web launch and standalone AnyConnect clients, they may access https://vpn.vpn.com/anyconnect while your clientless users may access https:/vpn.vpn.com/webvpn. The catch as you found is what happens when a user tries to go to the root https://vpn.vpn.com? In this case, the user will hit the default WebVPN TG. I would have to see your DAP policy to understand what policies you have implemented. If you take DAP out of the picture for a moment, a few quick workarounds to preventing AnyConnect users from being able to log into the default WebVPN group is to remove the corresponding tunneling protocol from the default group policy. Alternatively, you could set the simultaneous logins to 0 in the default group policy. You may also want to look into configuring group locking to prevent users from logging into a TG that they don't belong to. With respect to your certificate requirement, ASA 8.2.1 code allows you to configure client certificate authentication on a TG by TG basis. This is more flexible than 8.0 where this is enabled globally.

How does AnyConnect client calculate its Link Speed? (Windows 7)

I'm curious about how the AnyConnect client determines what its default Link Speed is, upon initialization?
For example, from behind my home firewall, if I have a client that's physically connected to a 1Gbps uplink, when I launch the AnyConnect client, Windows Task Manager shows me a Link Speed of 9 Mbps for my AnyConnect connection.
However, if I also launch an AnyConnect connection from another machine on my home LAN, connected via 300Mbps WiFi, Windows Task Manager will only show me around a 1 Mbps Link Speed.
How does the AnyConnect client calculate its Link Speed upon connection?   Does it take a percentage of the available upstream bandwidth?
My home ISP bandwidth is 50Mbps down/12 Mbps up.   My corporate ISP (where the ASA I'm connecting to resides) it 50Mbps bi-directional.

For PHP, if you want to handle data in UTF8, NLS_LANG must be set to
"<language>_<territory>.UTF8", where <language> and <territory> are your
preference. There is few difference between ODBC and OCI called by PHP
in this case as both need to set NLS_LANG to UTF8. If you are familiar
with OCI and expect better performance, you can do so. But if you want
to make the application be portable in terms of data source, ODBC is an
appropriate choice.
Data source doesn't matter the encoding of client. The character set of
client is determined by how client calls ODBC functions SQLBindParameter
or SQLBindCol. If the client specifies SQL_C_WCHAR, data is exchanged in
UTF-16 independent from NLS_LANG. If it is SQL_C_CHAR, data is in
NLS_LANG encoding. Unicode ODBC client binds data with SQL_C_WCHAR, that
is exactly the case of MS Access 2000. On the other hand, because PHP
binds data with SQL_C_CHAR, NLS_LANG is taken as the encoding for data
manipulations

MacOS X: Cisco Any Connect 3.x client crashes with certain user

Hello,
I'm using Cisco AnyConnect Secure Mobility Client 3.1.03103. The OS I'm running is Mac OS X 10.8.4 on a MacBook Pro.
During connection (about 5 seconds after pressing the connect button) the VPN clients crashes.
"Cisco AnyConnect Secure Mobility Client qut unexpectedly"
Here is a part of the panic string
--- snip ---
Process:         Cisco AnyConnect Secure Mobility Client [1205]
Path:            /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
Identifier:      com.cisco.Cisco-AnyConnect-Secure-Mobility-Client
Version:         3.1 (1)
Code Type:       X86 (Native)
Parent Process: launchd [239]
User ID:         502
Date/Time:       2013-06-12 17:52:08.425 +0200
OS Version:      Mac OS X 10.8.4 (12E55)
Report Version: 10
Interval Since Last Report:          166 sec
Crashes Since Last Report:           2
Per-App Interval Since Last Report: 130 sec
Per-App Crashes Since Last Report:   1
Anonymous UUID:                      703DE2BD-C547-C2AE-CC3A-4A411DC4D4CC
Crashed Thread: 3
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
VM Regions Near 0x4:
--> __PAGEZERO             0000000000000000-0000000000001000 [    4K] ---/--- SM=NUL /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
    __TEXT                 0000000000001000-00000000000bc000 [ 748K] r-x/rwx SM=COW /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
--- snip ----
This only happens with one user. With two other users on that same system the issue does not happen.It started after I added Admin rights to that user. I also removed the Admin rights but the error still happens.
I uninstalled the client, deleted /op/cisco directoy and the .anyconnect file in the home directory. I rebooted the MacBook and installed it again. But no change, the error still happens.
Is there any other fix besides deleting and re-creating the user? There must be some configuration file (besides /opt/cisco/anyconnect/profile or the .anyconnect file in the user home ) in the home directory but I haven't found anything.
Help greatly appreciated :-)
Cheers
Niels

We've recently run into an issue related to this. We found that it was related somehow to Firefox. If one looks inside of
/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/ there are symlinks to Firefox libraries:
$ ls -lntotal 1800-rwxrwxr-x 1 0     80 891232 Aug 3 2012 Cisco AnyConnect Secure Mobility Clientlrwxr-xr-x 1 1001 80      60 Jun 13 15:57 libmozsqlite3.dylib -> /Applications/Firefox.app/Contents/MacOS/libmozsqlite3.dyliblrwxr-xr-x 1 1001 80      55 Jun 13 15:57 libnspr4.dylib -> /Applications/Firefox.app/Contents/MacOS/libnspr4.dyliblrwxr-xr-x 1 1001 80      54 Jun 13 15:57 libnss3.dylib -> /Applications/Firefox.app/Contents/MacOS/libnss3.dyliblrwxr-xr-x 1 1001 80      58 Jun 13 15:57 libnssutil3.dylib -> /Applications/Firefox.app/Contents/MacOS/libnssutil3.dyliblrwxr-xr-x 1 1001 80      54 Jun 13 15:57 libplc4.dylib -> /Applications/Firefox.app/Contents/MacOS/libplc4.dyliblrwxr-xr-x 1 1001 80      55 Jun 13 15:57 libplds4.dylib -> /Applications/Firefox.app/Contents/MacOS/libplds4.dyliblrwxr-xr-x 1 1001 80      58 Jun 13 15:57 libsoftokn3.dylib -> /Applications/Firefox.app/Contents/MacOS/libsoftokn3.dylib
So as a simple confirmation we were able to remove Firefox and have AnyConnect connect fine. As a more permanent workaround we replaced the above symlinks with 0 byte files and we were able to have our cake (AnyConnect connecting) and eat it too (Firefox installed as well).

Anyconnect Vlan access

I have a asa 5505 that we setup up a vpn connection to recently. Everything on our internal vlan (120) works fine when using the VPN. Although VPN clients cannot access the Voice vlan (200). I have added the voice network to the ACL list and mapped it to the anyconnect connection profile. Still a no go. Any ideas? Config below
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.252
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name valleyview.local
object network obj-10.193.5.248
subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
host 10.193.5.230
object network obj-10.193.5.230-02
host 10.193.5.230
object network obj-10.193.5.230-03
host 10.193.5.230
object network obj-10.193.5.77
host 10.193.5.77
object network obj-10.193.5.77-01
host 10.193.5.77
object network obj-10.193.5.230-04
host 10.193.5.230
object network obj-10.193.5.230-05
host 10.193.5.230
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Exchange
host 10.193.5.230
object network VPN_NETWORK
subnet 192.168.22.0 255.255.255.248
object network Voice_Network
subnet 10.200.1.0 255.255.255.0
description Voice Network
object network VPN_CLIENTS
subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive

As requested
Result of the command: "sh run"
: Saved
ASA Version 9.1(4)
hostname vvnrt0
domain-name valleyview.local
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd Hex3HvOKW72M49oO encrypted
names
ip local pool VPNIPPool 10.193.5.251-10.193.5.254 mask 255.255.255.0
ip local pool VPN_IP_Pool 192.168.22.1-192.168.22.6 mask 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.193.5.193 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.252
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name valleyview.local
object network obj-10.193.5.248
subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
host 10.193.5.230
object network obj-10.193.5.230-02
host 10.193.5.230
object network obj-10.193.5.230-03
host 10.193.5.230
object network obj-10.193.5.77
host 10.193.5.77
object network obj-10.193.5.77-01
host 10.193.5.77
object network obj-10.193.5.230-04
host 10.193.5.230
object network obj-10.193.5.230-05
host 10.193.5.230
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Exchange
host 10.193.5.230
object network VPN_NETWORK
subnet 192.168.22.0 255.255.255.248
object network Voice_Network
subnet 10.200.1.0 255.255.255.0
description Voice Network
object network VPN_CLIENTS
subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq https inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 987 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 4125 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 8081 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 1099 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq smtp inactive
access-list outside_in extended permit ip any object Voice_Network
access-list outside_in extended permit ip object VPN_CLIENTS 10.200.1.0 255.255.255.0 inactive
access-list All_VPN_Access extended permit ip object NETWORK_OBJ_192.168.22.0_29 object Voice_Network
access-list All_VPN_Access extended permit ip any object Voice_Network
access-list All_VPN_Access extended permit ip any any
access-list global_access extended permit ip object Voice_Network any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.193.5.0 obj-10.193.5.0 destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
object network obj-10.193.5.230-02
nat (inside,outside) static interface service tcp 4125 4125
object network obj-10.193.5.230-03
nat (inside,outside) static interface service tcp 987 987
object network obj-10.193.5.77
nat (inside,outside) static interface service tcp 1099 1099
object network obj-10.193.5.77-01
nat (inside,outside) static interface service tcp 8081 8081
object network obj-10.193.5.230-04
nat (inside,outside) static interface service tcp smtp smtp
object network obj-10.193.5.230-05
nat (inside,outside) static interface service tcp pptp pptp
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 173.163.35.106 1
route inside 10.200.1.0 255.255.255.0 10.193.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUGRP protocol ldap
aaa-server VPNUGRP (outside) host 10.193.5.230
timeout 5
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.193.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.193.5.0 255.255.255.0 inside
telnet timeout 30
ssh 10.193.5.0 255.255.255.0 inside
ssh 255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.193.5.230
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vvn-vpn_splitTunnelAcl
default-domain value valleyview.local
address-pools value VPN_IP_Pool
group-policy DfltGrpPolicy attributes
dns-server value 10.193.5.230
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vvn-vpn_splitTunnelAcl
address-pools value VPN_IP_Pool
group-policy GroupPolicy_Valley_View_VPN internal
group-policy GroupPolicy_Valley_View_VPN attributes
wins-server none
dns-server value 10.193.5.230 75.75.75.75
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value valleyview.local
split-dns value valleyview.local
address-pools value VPN_IP_Pool
username bcleary password encrypted privilege 15
username bcleary attributes
vpn-group-policy DfltGrpPolicy
username test password encrypted
username morefieldcomm password encrypted
username Vendor password encrypted privilege 0
username Vendor attributes
vpn-group-policy DfltGrpPolicy
username swthomas password encrypted
username compugen password encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNIPPool
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN type remote-access
tunnel-group Valley_View_VPN general-attributes
address-pool VPN_IP_Pool
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN webvpn-attributes
group-alias Valley_View_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
smtp-server 10.193.5.230
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end

HeartBleed vulnerability on AnyConnect for iOS

Does anyone have additional information on this vulnerability? This security post: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
Tells us that "Cisco AnyConnect Secure Mobility Client for iOS" is an affected product, but doesn't tell us what versions are at risk.

This build with this fix has been posted to the iTunes store.
AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store
Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed
Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924
Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html
** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS
Disconnect AnyConnect connection before upgrading
Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.
Apple iOS Connect On Demand Considerations
To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

Anyconnect Connections

Similar Messages

Maybe you are looking for