Cisco AnyConnect 3.0.2 and Mac OS X 10.7

Similar Messages

• Cisco AnyConnect does it do IPsec?

  Hi Guys
  I have a Cisco ASA5520 with Software Version 8.2(5) in place, most my users are Mac Users and I am currently looking into Cisco AnyConnect in comparison to using VPN client.
  I have a couple of questions
  1) Does Cisco AnyConnect make use of IPsec or is it soley SSL VPN based?
  2) From the license information I have below in my ASA I understand that I can have max 750 vpn peers however am I right in saying that this does not apply to Cisco AnyConnect peers? and that with Cisco AnyConnect I can only have 2 peers? Also what are the disabled anyconnect options for?
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled
  VPN-3DES-AES                   : Enabled
  Security Contexts              : 2
  GTP/GPRS                       : Disabled
  SSL VPN Peers                  : 2
  Total VPN Peers                : 750
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled
  AnyConnect for Cisco VPN Phone : Disabled
  AnyConnect Essentials          : Disabled
  Advanced Endpoint Assessment   : Disabled
  UC Phone Proxy Sessions        : 2
  Total UC Proxy Sessions        : 2
  Botnet Traffic Filter          : Disabled
  3) When trying to set up Cisco Anyconnect on the ASA using ASDM, I noticed I needed to upload AnyConnect client images however when I did this by uploading the .dmg file for mac machines I got the error message "not a valid SVC image". Is this because I am running 8.2?
  Your help is much appreciated
  Regards
  Mohamed

  Hi Mohammad,
  I will answer your questions one by one:
  1. Cisco Anyconnect version 3.0 and above support SSL as well as IPSECv2 connection. If you want the user to connect using IPSECv2 from the Anyconnect client then it will consume the SSL license and not the IPsec license however if you use IPSECv2 for connections like site to site vpn then it will consume normal IPSec VPN license.
  2. a.  SSL VPN Peers: This license gives you the information about the number of users who can connect using the SSL protocol i.e. using the Anyconnect client as well as web portal based client also known as clientless VPN. Here I see there are only 2 licenses so at any point of time only 2 users can connect successfully because 750 is the total number of license available for VPN connection on the ASA, only 698 will be available for the IPSec connections.
     b.  Anyconnect for mobile: This license is required whenever a user is connecting from a handheld device like: Iphone, Ipad, Tablets etc.
     c. Anyconnect for Cisco VPN Phone: Cisco IP phones have the ability to connect to a remote ASA using the SSL protocol and to enable this feature you should have this license enabled on the ASA.
     d.  Anyconnect essentials: For Anyconnect there are two licenses a> Anyconnect Premium and b> Anyconnect Essentials. Anyconnect essentials is cheaper as compared Anyconnect premium license. This license is for those who do not use webvpn or clientless VPN. When this license is enabled, the user can only connect from the Anyconnect VPN client.
  3. I am not sure what image you are using on the ASA. Please try the image named as anyconnect-macosx-i386-2.5.2010-k9.pkg.
      To apply the changes using the command line, put this image on disk0: and then issue this command on the CLI.
     svc image disk0:/anyconnect-macosx-i386-2.5.2010-k9.pkg
  Let me know if this helps.
  Thanks,
  Vishnu Sharma

• Cisco anyconnect secure mobility client + caching

  Hi,
  We have recently implemented wifi at our location, all working fine with the below exception. we have cisco anyconnect secure mobility client installed on all laptops for VPN access. we are facing a problem as the vpn client is caching the credentilas i.e inorder to connect to the corp wifi, we need ot add a profile in the anyconnect client with the SSID, security and 802.1x configuration bcoz my WIFI infra is setup to use ISE as the authentication manager and WLC is integrated with ISE. First time when someone tries to connect to wifi, it prompts for the credentials. but for the subsequent connections it is not prompting for the credentials and somehow it is picking from the cache or somewhere. How can i disable this? I want the users to be prompted for credentials whenever they try to connect to the corp wifi? FYI, we are using cisco anyconnect secure moile client 3.0.5 version.
  Thanks,
  Sridhar

  I'm guessing that it is this setting...
  Go to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client and edit the AnyConnectLocalPolicy.xml.
  Change this line to:
            All
  It's probably best to use the AnyConnect Profile Editor to do this and I'm also not sure if this is something that can be pushed from the gateway to all machines.

• An error when trying to connect with the Cisco AnyConnect.

  Good day!
  I connect from Windows 7 (also from Ubuntu) with the Cisco AnyConnect client 3.0 (and with Cisco AnyConnect Secure Mobility Client 3.1) and  get error a “The VPN client was unable to successfully verify the IP  forwarding table modifications. A VPN connection will not be  established.   No changes had been made to the  configuration  of my  asa5520 running 8.4(2) (ASDM 6.4(5)).
  I have license  (AnyConnect Premium Perpetual) supports 2  vpn connections.
  I read about this problem on different forums and cisco.com:
  disabled unused adapters, check install software (Adobe photoshop and Bonjour are not installed on my system).
  I made new configuration AnyConnect  in ASDM. But the problem remains the same...
  Please, help me find the way to solution in this situation!

  I have seen that error before but it usually clears up on its own.  I have a working theory though so perhaps this might help you.  I noticed that once you connect, 2 files are created in C:\ProgramData\Cisco\Cisco AnyConnect VPN Client.  I think that folder is different if using v3.x instead of 2.5.  Anyway, the files are routechangesv4.bin and routechangesv6.bin.  Try deleting each and then rebooting.  Try connecting again after that.
  My theory is that those files are not clearing up after disconnecting.  I think they are supposed to go away after disconnecting but I noticed in some cases that they don't.

• Cisco AnyConnect WEB/SSL VPN - does not launch after Apple's security update on Mac OS 10.7 and 10.6

  AnyConnect version: 2.5.2001
  Mac OS versions: 10.7.2 and 10.6.8
  We used to invoke Cisco AnyConnect VPN via the Safari browser for the SSL URL and it used to work fine on Mac OS 10.6 and 10.7. Apple released a security update on 8/Nov/2011 (see: http://support.apple.com/kb/HT5045) and after applying the update, invoking AnyConnect from the browser no longer invokes the AnyConnect application on the machine. The browser stops at this page repeatedly:
  I have installed AnyConnect on my machine and am able to invoke it explicitly, but browser login just fails to do that. I have tried re-installing AnyConnect, but the problem still persists.
  Any help would be highly appreciated as we are in a show-stopped situation because of this issue.
  Thanks
  Vivek.

  This is an old issue, but I ran into it continually this month while trying to use AnyConnect on my Mac 10.8+ version.
  For me, the solution was:
  I realized that I should have seen a pop-up warning me about the dangers of using Java etc. etc but it seemed as if my computer was blocking it automatically without giving me the option.
  I went to the Java page (Java.com) and clicked on "Do I have Java?" The plug-in was inactive, so clicking it allowed me to check that my Java was up to date. Going back to my AnyConnect, this time, it seemed to go through and give me all the pop-ups allowing me to allow Java.

• Cisco Anyconnect Secure Mobility Client crashes on Mac 10.8.5

  Hi,
  I have a Macbook Pro with Mountain Lion 10.8.5 OS installed. I am using Cisco Anyconnect Secure Mobility Client as a VPN to access my company's network (Intranet). Had been using this software for more than 2 Months and all of a sudden now when I use this Secure Mobility Client, the application is crashing and I get the following error message:
  Process:         Cisco AnyConnect Secure Mobility Client [1340]
  Path: /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
  Identifier: com.cisco.vpn
  Version:         3.0.10055
  Code Type:       X86 (Native)
  Parent Process: launchd [152]
  Date/Time: 2013-11-10 11:18:57.739 +0530
  OS Version:      Mac OS X 10.8.5 (12F45)
  Report Version:  10
  Interval Since Last Report:          6277 sec
  Crashes Since Last Report:           2
  Per-App Crashes Since Last Report:   2
  Crashed Thread:  6
  Exception Type: EXC_BAD_ACCESS (SIGBUS)
  Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000004
  VM Regions Near 0x4:
  --> __PAGEZERO 0000000000000000-0000000000001000 [ 4K] ---/--- SM=NUL /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
      __TEXT                 0000000000001000-0000000000025000 [  144K] r-x/rwx SM=COW  /Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS/Cisco AnyConnect Secure Mobility Client
  Thread 0:: Dispatch queue: com.apple.main-thread
  0   libsystem_kernel.dylib                 0x96fcf7ce mach_msg_trap + 10
  1 libsystem_kernel.dylib                 0x96fcecac mach_msg + 68
  2 com.apple.CoreFoundation         0x990e1f79 __CFRunLoopServiceMachPort + 185
  3 com.apple.CoreFoundation         0x990e795f __CFRunLoopRun + 1247
  4 com.apple.CoreFoundation         0x990e701a CFRunLoopRunSpecific + 378
  5 com.apple.CoreFoundation         0x990e6e8b CFRunLoopRunInMode + 123
  6 com.apple.HIToolbox                   0x97821f5a RunCurrentEventLoopInMode + 242
  7 com.apple.HIToolbox                   0x97821cc9 ReceiveNextEventCommon + 374
  8 com.apple.HIToolbox                   0x97821b44 BlockUntilNextEventMatchingListInMode + 88
  9 com.apple.AppKit                         0x91d9193a _DPSNextEvent + 724
  10 com.apple.AppKit                       0x91d9116c -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 119
  11 com.apple.AppKit                       0x91d875cc -[NSApplication run] + 855

  I have identical problem on 10.7.5 OS and AnyConnect 3.1.04074
  Just started happening yesterday.
  Please post if you find a solution.

• Cisco AnyConnect SSL VPN no split tunnel and no hairpinning internet access

  Greetings,
  I am looking to configure a Cisco ASA 5515X for Cisco AnyConnect Essentials SSL VPN where ALL SSL-VPN traffic is tunneled, no split tunneling or hairpinning on the outside interface. However users require internet access. I need to route traffic out the "trusted" or "inside" interface to another device that performs content-filtering and inspection which then egresses out to the internet from there. Typically this could be done using a route-map (which ASA's do not support) or with a VRF (again, not an option on the ASA). The default route points to the outside interface toward the internet.
  Is there no other method to force all my SSL-VPN traffic out the inside interface toward LAN subnets as needed and have another default route point toward the filtering device?
  OR 
  Am I forced to put the ASA behind the filtering device somehow?

  Hi Jim,
  You can use tunnel default route for vpn traffic:
  ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled
  configure mode commands/options:
    <1-255>   Distance metric for this route, default is 1
    track     Install route depending on tracked item
    tunneled  Enable the default tunnel gateway option, metric is set to 255
  This route is applicable for only vpn traffic.
  HTH,
  Shetty

• Simple remote connection using Cisco AnyConnect and ISR router

  Hi all,
  I am just wondering what the easiest and simplest method would be to make remote PCs (running Cisco AnyConnect) establish a VPN IPsec to a Cisco ISR (881/887, 1900s,2900s series). I used to use EasyVPN method (simple and fast to configure and no need for special licences other than crypto licence) but since Cisco VPN Client is no longer supported I had to resort to WebVPN which requires a licence depending on the number of clients to support (SSL licences for 10,20 users and so forth). I've read a bit about FlexVPN but I can't find an easy example to what I want to do. The closest is this one (FlexVPN and Anyconnect IKEv2 Client Configuration Example):
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
  But that example makes use of RADIUS. Is there a way to make use of local database (users configured on the router) instead of RADIUS?
  Basically what I am after is the following
  - Remote users install Cisco AnyConnect to establish a VPN connection to HQ
  - HQ ISR (880s, 1900s, 2900s) terminates that VPN connections and allows access to local resources (shared drives, applications...).Authentication method would be local database on the router. No need of RADIUS/ACS as this is for very small companies with no IT resources to maintain and configure a RADIUS/ACS server.
  I think what I need is this AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example:
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html
  But the example is too highlevel for me to follow, basically I don't know how to generate such certificates and distribute it to remote clients.
  Any help as to how to create such certificates or how to configure FlexVPN to just requiring the user to enter usr/pass (using local database not RADIUS nor ACS) would be highly appreciated.
  Cheers
  Alvaro

  If you insist .. try this:
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
  http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

• Error Cisco AnyConnect Secure Mobility Client - MAC Os X

  Hello,
  I have this problem when I tried to connect the anyconnect secure mobility with my vpn
  Please, can you help me?
  The error messege is this
  " The AnyConnect package on the secure gateway could not be reached . You may be experiencing network connectivity issues . Please try connecting again. "
  The firewall in use is
  ASA 5520
  ASA 9.1(4)
  ASDM 7.1(6)

  Correct answer for this error Cisco AnyConnect Client
  Upload to ASA the .pkg of the client vpn what you need to used
  For ASA 9.1(4) and ASDM 7.1(6)
  Go to Configuration -> Network (Client) Access -> AnyConnect Client Software
  "If the .pkg is not declare here, you have to add"
  For ADD -> press + Add -> Browse flash -> Find the .pkg what you need and select -> Press OK -> Press OK
  Finally Press Apply
  Then, connect the vpn and you will not have problem
  Regards

• Cisco AnyConnect Secure Mobility Client using discrete graphics on Mac

  Hello,
  I use your Cisco AnyConnect Secure Mobility Client to connect to my University's VPN. The programme is supplied to me by my University so I presume it licenses it for its students such as myself.
  I am writing to let you know the Cisco AnyConnect Secure Mobility Client uses the discrete graphics card on my MacBook Pro whenever it is running. I cannot quit the Client, that will end my VPN session, but at the same time using the discrete graphics card is a drain on the battery for no good reason; Cisco AnyConnect does not display any visuals that I am aware would require the use of an NVidia Kepler card with 1GB VRAM. The application's code perhaps needs to be rectified so it does not depend on the discrete graphics card when clearly (as the attachments show) it does not need a discrete graphics card to render its very simple interface.
  Cheers.

  If your company has the Cisco IPSec protocol open you can use the Mac's built-in VPN settings.
  However, if those ports are blocked by your local service (Starbucks or w/e) then you will have to use the AnyConnect VPN, which is done over SSL (https).

• Anybody know the Roadmap for combining NAC Agent and Cisco AnyConnect?

  Heard a rumor that Cisco is going to combine the functionality of the NAC Agent and Cisco AnyConnect as far as being an 802.1x supplicant, does anyone have any information about this?  Like is it true and if so, any idea when it will happen?

  Hi ,
  There is no comitted plan for NAC and Anyconnect  integration. But Anyconnect now comes with a module called NAM ( network access module) which can do dot1x as well.
  Here is the link for that :
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
  Thanks
  Waris

• Mail and SMTP server settings of ASA Certificate Authority for cisco anyconnect VPN

                     Dear All,
  i have the folloing case :
  i am using ASA as Certificate authority for cisco anyconnect VPN users,the authentication happens based on the local database of the ASA,
  i want to issue a new certificate every 72 hours for the users ,and i want to send the one time password via email to each user.
  so what the setting of the mail and smtp server should be ,
  was i understand i should put my smtp server ip address then i have to create the local users again under(Remte VPN VPN--Certificate management--Local certificate authority --Manage user Database) along with their email addresses to send the one time passsword to them via their emails.
  i sent the email manually ,hwo can automate sending the OTP to our VPN users automatically vi their emails?
  Best regards,

  Thanks Jennifer.
  I did manage to configure LDAP attribute map to the specific group policy.
  Nevertheless, I was thinking whether I can have fixed IP address tied to individual user.
  Using legacy Cisco VPN Client, I can do it using IPSEC(IKEv1) Connection profile, where I set Pre-Shared Key and Client Address Pools. Each Client Address Pools has only 1 fix IP address.
  Example: let say my username is LLH.
  Connection Profile for me is : LLH-Connection-Profile, my profile is protected by preshared key.
  Client Address Pool for me is : LLH-pool, and the IP is 172.16.1.11
  Only me know the preshared key and only me can login with my Connection Profile.
  Using AnyConnect, I have problem. User can use any connection profile because I cannot set preshared key for AnyConnect. In that case, I cannot control who can use my Connection Profile and pretend to be me.
  Example:
  AnyConnect Connection Profile for me is : LLH-Connection-Profile, without any password
  Client Address Pool for me is : LLH-pool, IP is 172.16.1.11
  Any body can use LLH-Connection-Profile, login with another user name, let say user-abc which is a valid user in LDAP server. In that case, ASA assign 172.16.1.11 to user-abc and this user-abc can access server which only allow my IP to access.
  I hope above description can paint the scenario clearer.
  Thanks in advance for all the help and comment given.

• Cisco Anyconnect für Mac OSX Fehlermeldung

  Hallo,
  bei dem Versuch über Cisco Anyconnect (anyconnect 3.1.00495.dmg) eine VPN-Verbindung in mein Hochschulnetzwerk herzustellen, erhalte ich folgende Fehlermeldung:
  "The VPN client was unable to successfully verify the IP forwarding table modifications.  A VPN connection will not be established."
  (siehe Datei)
  Ich verwende folgende MAC OSX Version: 10.8.2 (Mountain Lion).
  Woran kann es liegen, wie lässt sich der Fehler beheben?
  Vielen Dank vorab.
  Mit freundlichen Grüßen,
  M.F.

  Hallo Marvin,
  vielen Dank für Ihre Antwort. Ich weiß leider nicht, was Sie mit "pre-deploy-Installation" meinen.
  Mir ist bewusst, dass ich zur Installation von Cisco Anyconnect entsprechende Einstellungen im Gatekeeper vornehmen muss. Jedoch scheint dabei nicht die Ursache zu liegen, da die Installation ja erfolgreich war. Lediglich der Verbindungsaufbau zu meinem gewünschten Netzwerk funktioniert nicht.
  Also stehe ich immer noch for einem "?"...
  engl. version:
  Hello Marvin,
  thank you very much for your reply. However I do not know what is meant with "pre-deploy-Installation". The installation of the program worked well, but I do not get a connection to the VPN-adress or rather to the desired network. So the problem I have is about the connection establishment as it is said in the fault indication.
  So there is still a "?" left....

• Cisco Anyconnect 3.X and Symantec Endpoint Protection(SEP11)

  We are currently using Cisco Anyconnect ver 3.0.3050 with SEP11. Some users are getting a Port Scan Attack message from SEP11. Never saw this when using our previous Nortel VPN client. Has anyone seen this before?

  Try adding an Application exception to your SEP policy.
  Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11
  http://www.symantec.com/business/support/index?page=content&id=TECH104326&locale=en_US

• Cisco ACS 5.1 and MAC address identification/quarantining

  A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment.   For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port.  If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
  I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access).  What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
  Please confirm, and as always, reference links/docs are appreciated.

  Hi,
  The goal you want to achieve is possible but not with MAB.
  What you want can easily be done if you do machine authentication rather then MAB.
  With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
  In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
  For this to work you have to register the machines in the domain as well as the users.
  Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
  To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
  Then, you create a new Rule and this Condition will be available:
  On the client side you need to make sure that they do dot1x machines authentication.
  This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.