Cisco AnyConnect Secure Mobility Client and Cisco ASA Jazib Frahim Advanced Services Technical Leader

Incident Manager and Technical Leader, PSIRT Omar Santos

Introduction and Design Considerations

IPSec or SSL VPN? Differences

Feature IPSec Clientless SSL VPN

Client Software Uses Cisco VPN Client software for complete network access.

Uses a standard web browser to access limited corporate network resources and eliminates need for separate client software.

Management You must install and configure Cisco VPN client.

You do not need to install a VPN client. No configuration is required on the client machine.

Encryption Uses a variety of encryption and hashing algorithms such as DES, 3DES, AES, SHA & MD5

Uses SSL encryption native to web browsers.

Applications Encapsulates all IP protocols, including TCP, UDP, and ICMP.

Supports limited TCP-based client/server applications in clientless mode. Note: AnyConnect client can encapsulate all IP protocols.

IPSec or SSL VPN? Differences

Feature IPSec SSL VPN

Cost Free License Must purchase a license Many different types of licenses: AnyConnect Essential, AnyConnect Premium, AnyConnect Mobile, SSL Shared Premium

User Environment Suited for permanent or full-time telecommuters

Suited for all types of users including contractors, temp workers or even fulltime workers

Connectivity Establishes seamless connection to network.

Supports application connectivity through browser portal.

Clientless

Basic web access E-mail access CIFS access Customized

user screen

Port redirection for only TCP applications

Smart tunnel

Thin-Client Client-Based

Full-SSL tunnel AnyConnect SVC CSD

SSL VPN Introduction

AnyConnect

AnyConnect New Features in 3.0 in 3.0

Network Access Manager (Replacement for CSSC) Telemetry Host Scan Web Security (ScanSafe Integration) IPsec IKEv2 DART Enhancements Windows Services Lockdown Software and Profile Locks

Note: You can deploy the Web Security module and benefit from the ScanSafe web scanning services without having to install an ASA and without enabling the VPN capabilities of the AnyConnect Secure Mobility Client.

CAPABILITY WINDOWS MAC LINUX

Enhanced User Interface

IPsec (IKEv2) and SSL (TLS and DTLS)

Network Access Manager

Web Security for ScanSafe

Integrated Posture (Host Scan)

Integrated Diagnostics and Reporting

Pre-install

Web-deploy and upgrade

AnyConnect 3.0 Operating System Support

2011 Cisco and/or its affiliates. All rights reserved. Cisco Public

AnyConnect Main Screen in 3.0

AnyConnect Client Mobile Device Support iP

ad &

iPho

nes Mobile Device

Support does not include the new features in 3.0.

The latest iPhone/iPad client is based on 2.4.x code.

AnyConnect Client Mobile Device Support (cont.)

iPad

Detailed Statistics and Diagnostics Information that are useful for troubleshooting

Cisco AnyConnect VPN Client Deployment

Web-based Pre-deploy (Standalone client)

Web-Deploy Packages All supported OS Web-Deploy packages contain the following information: headinfo.txt OS definition and xml file sizes pkgversion.xml version info VPNManifest.xml package module contents Profile Schema files for Profile Editor ServiceProfileManifest.xml profile info for Head-End and Downloader Binaries (binaries\)

anyconnect and optional module installers (will vary with OS) anyconnectprof.sgz profile editor vpndownloader.exe downloader update.txt build version

Files for Web-Launch Presentation images\ locale\ (Windows Only) profile\ (Mac & Linux) Web-Deploy .pkg files - Zip files with a .pkg extension and can be opened

and viewed using WinZip.

Pre-Deploy Packages Contents

anyconnect-NGC-win-3.0.xxxx-k9.iso Anyconnect-dart-win-3.0.xxxx-k9.msi Anyconnect-gina-win-3.0.xxxx-pre-deploy-k9.msi Anyconnect-nam-win-3.0.xxxx-k9.msi Anyconnect-posture-win-3.0.xxxx-pre-deploy-k9.msi Anyconnect-telemetry-win-3.0.xxxx-pre-deploy-k9.msi Anyconnect-win-3.0.xxxx-pre-deploy-k9.msi Setup.exe setup.hta Pre-deploy Installer Utility code update.txt build version autorun.inf GUI.ico cues_bg.jpg

Windows

Pre-Deploy Packages Contents

vpn.pkg main Anyconnect VPN installer package csd.pkg Cisco Secure Desktop package dart.pkg - Diagnostics and Reporting Tool (DART) that you can use to collect

data useful for troubleshooting AnyConnect installation and connection problems.

MAC (darwin-intel)

ciscovpn main Anyconnect VPN installer binary csd-3.0.x Cisco Secure Desktop package (not supported on Linux-64) dart DART binary

Linux

AnyConnect Essentials

AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the Cisco ASA, that provides the full AnyConnect capability, with the following exceptions:

No CSD (including HostScan/Vault/Cache Cleaner) No clientless SSL VPN Optional Mobile Support

ASDM: Configuration > Remote Access VPN > Advanced > AnyConnect Essentials License

CLI: webvpn anyconnect-essentials

The AnyConnect Client Uses an XML File for User Profiles and Configuration Settings

AnyConnect User XML Profile

On Windows machines, the profile will be stored in Documents and Settings\All Users\Application

Data\Cisco\Cisco AnyConnect VPN

Client\Profile\AnyConnectProfile.tmpl

On non-Windows machines the location will be /opt/cisco/vpn/profile/AnyConnectProfile.tmpl

The profile may be validated using the AnyConnectProfile.xsd file. This file is installed during installation

On Windows the preferences are stored in: Documents and Settings\\Application Data\Cisco\Cisco AnyConnect VPN Client\preferences.xml

AnyConnect 3.0 Profile Editor

Simplifies the act of creating valid client profiles for various AnyConnect components.

In AnyConnect 2.5, there was just one AnyConnect component (VPN) that could be configured using an ASDM-integrated Profile Editor.

In AnyConnect 3.0, there are four AnyConnect components that can be configured using the Profile Editor:

1. VPN 2. NAM (Network Access Manager) 3. Web Security (ScanSafe) 4. Telemetry

AnyConnect Installation Issues

Logging on Windows will utilize the Windows event viewer; review the log messages in Cisco AnyConnect VPN Client

You can save the Cisco AnyConnect VPN Client log from the event viewer in .evt format

Linux location: /var/log/messages

Mac location: /var/log/system.log

NOTE: More tips included in the Appendix

An Example of How Windows Event Viewer Looks

Event Viewer

Uninstalling AnyConnect

Uninstall of AnyConnect Core is not supported via Web-Deploy.

Pre-Deploy uninstall must be used.

Uninstall of optional components is effectively achieved when the Upgrade of AnyConnect Core removes the Plugins\ directory and its contents in order to remove optional component functionality.

The Export Stats Saves the Information on the Statistics Screen, Along with Other Connection Information, to a Text File for Troubleshooting

AnyConnect Client GUI Statistics

Configuration and Basic Troubleshooting

Topology: Example 1

Internet outside inside

management

209.165.200.224/27

Client (AnyConnect)

192.168.1.0/24

10.10.10.0/24

.254

.254 .225

Management (ASDM)

Corporate Network

AnyConnect VPN Wizard

Select the AnyConnect VPN Wizard

AnyConnect VPN Wizard (cont.)

Click Next to Start the Wizard

AnyConnect VPN Wizard (cont.)

Enter the connection profile

Select the Interface where VPN clients will conect to

AnyConnect VPN Wizard (cont.) Select the Anyconnect Image to be used

You can also select the operating system of the client to give the user the options to select the Anyconnect image that is appropriate for his/her environment

AnyConnect VPN Wizard (cont.)

Select the authentication method In this example LOCAL auth is used

user1 is used in this example

AnyConnect VPN Wizard (cont.)

Create an IPv4 (or IPv6) address pool.

AnyConnect VPN Wizard (cont.)

Enter the DNS and WINS servers and enter the domain name to be used.

AnyConnect VPN Wizard (cont.) If NAT is being used this step allows you to create a NAT exemption rule (to bypass NAT)

AnyConnect VPN Wizard (cont.)

Click Next to advance to the Summary of configuration changes that will be applied

AnyConnect VPN Wizard (cont.)

Summary of everything that will be configured (as per your entries in previos steps)

AnyConnect Connection Profiles

After the changes are applied to the ASA you can see the new connection profile under Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Profiles

AnyConnect VPN Config in the CLI webvpn enable outside anyconnect image disk0:/anyconnect-win-3.0.1047-k9.pkg 1 anyconnect enable tunnel-group-list enable group-policy GroupPolicy_my-connection-profile internal group-policy GroupPolicy_my-connection-profile attributes wins-server value 10.10.10.123 dns-server value 8.8.8.8 vpn-tunnel-protocol ssl-client default-domain value cisco.com username user1 password 08S9WUsiSMr3RauN encrypted tunnel-group my-connection-profile type remote-access tunnel-group my-connection-profile general-attributes address-pool my-pool default-group-policy GroupPolicy_my-connection-profile tunnel-group my-connection-profile webvpn-attributes group-alias my-connection-profile enable

AnyConnect Statistics After Connection

AnyConnect Route Details

AnyConnect Message History

Case Study: Authentication Problems

Problem Summary

User calls your VPN support staff and complains that his AnyConnect VPN connection is not working!!

What can you do to troubleshoot?

Problem Summary

First, lets take a look at some debugs you can use.

show vpn-sessiondb anyconnect filter p-ipaddress 100.1.1.1

debug webvpn anyconnect debug aaa common

debug webvpn anyconnect 255 (good auth) ciscoasa# webvpn_rx_data_tunnel_connect CSTP state = HEADER_PROCESSING http_parse_cstp_method() ...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1' webvpn_cstp_parse_request_field() ...input: 'Host: 209.165.200.225' Processing CSTP header line: 'Host: 209.165.200.225' webvpn_cstp_parse_request_field() ...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629' Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629' Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.0.0629' Validating address: 0.0.0.0 CSTP state = WAIT_FOR_ADDRESS webvpn_cstp_accept_address: 10.10.20.1/255.255.255.0 webvpn_cstp_accept_ipv6_address: No IPv6 Address CSTP state = HAVE_ADDRESS SVC: adding to sessmgmt SVC: Sending response Sending X-CSTP-FW-RULE msgs: Start Sending X-CSTP-FW-RULE msgs: Done Sending X-CSTP-Quarantine: false Sending X-CSTP-Disable-Always-On-VPN: false vpn_put_uauth success! CSTP state = CONNECTED

debug aaa common (bad communication to server)

radius mkreq: 0x19 alloc_rip 0xcbeb5d00 new request 0x19 --> 20 (0xcbeb5d00) got user 'user1' got password add_req 0xcbeb5d00 session 0x19 id 20 RADIUS_REQUEST radius.c: rad_mkpkt RADIUS packet decode (authentication request) -------------------------------------- Raw packet data (length = 63)..... 01 14 00 3f b2 03 80 b9 fe 5f ac 75 0a 7b 98 f1 | ...?....._.u.{.. d6 57 44 2d 01 07 75 73 65 72 31 02 12 5e 31 87 | .WD-..user1..^1. 3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 04 06 0a | =.........L.x... 0a 0a fe 05 06 00 00 00 02 3d 06 00 00 00 05 | .........=.....

Parsed packet data..... Radius: Code = 1 (0x01) Radius: Identifier = 20 (0x14) Radius: Length = 63 (0x003F) Radius: Vector: B20380B9FE5FAC750A7B98F1D657442D Radius: Type = 1 (0x01) User-Name Radius: Length = 7 (0x07) Radius: Value (String) = 75 73 65 72 31 | user1 Radius: Type = 2 (0x02) User-Password

CONTINUED IN THE NEXT SLIDE

debug aaa common (bad communication to server) continued

CONTINUED FROM THE PREVIOUS SLIDE

Radius: Length = 18 (0x12) Radius: Value (String) = 5e 31 87 3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 | ^1.=.........L.x Radius: Type = 4 (0x04) NAS-IP-Address Radius: Length = 6 (0x06) Radius: Value (IP Address) = 10.10.10.254 (0x0A0A0AFE) Radius: Type = 5 (0x05) NAS-Port Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x2 Radius: Type = 61 (0x3D) NAS-Port-Type Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x5 send pkt 172.18.104.83/1645 RADIUS_SENT:server response timeout callback_aaa_task: status = -2, msg = RADIUS_DELETE remove_req 0xcbeb5d00 session 0x19 id 20 free_rip 0xcbeb5d00 radius: send queue empty

debug aaa common (there still a problem!!)

Radius: Length = 6 (0x06) Radius: Value (Hex) = 0x5 send pkt 172.18.118.206/1645 fail request 0x1c (172.18.118.206 failed) callback_aaa_task: status = -2, msg = RADIUS_DELETE remove_req 0xcbeb5d00 session 0x1c id 23 free_rip 0xcbeb5d00 radius: send queue empty

We fixed the previous problem. The Cisco ASA had the wrong IP address for the AAA server. The correct IP address is 172.18.118.206 not 172.18.104.83.

However, authentication still not successful. Whats the problem?

What was the Problem?

asa# show aaa-server my-radius Server Group: my-radius Server Protocol: radius Server Address: 172.18.118.206 Server port: 1645(authentication), 1646(accounting) Server status: ACTIVE, Last transaction at 11:49:09 UTC Mon May 23 2011 Number of pending requests 0 Average round trip time 0ms Number of authentication requests 11 Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 1 Number of rejects 5 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 5 Number of unrecognized responses 0

The problem was that the AAA server didnt have the correct NAS (AAA Client address) for the ASA. It had 10.10.10.54 instead of 10.10.10.254

You can also use the show aaa-server command to view statistics on AAA transactions

Case Study: User Connects But Cannot Pass Traffic

Problem Summary

User is able to authenticatebut cannot pass traffic.

What can you do to troubleshoot?

AnyConnect Route Details

AnyConnect Statistics After Connection

0

0

0

Routing Problem?

Internet outside inside

Client (AnyConnect)

VPN Pool: 10.10.20.0/24

.254

Corporate Network

Where is 10.10.20.x?

The internal router must have a route for the VPN IP Address Pool (10.10.20.0/24)

ACL Bypass Problem?

You can require an access rule to apply to the local IP addresses by unchecking this check box. The access rule applies to the assigned IP address, and not to the original client IP address used before the VPN packet was decrypted.

ciscoasa# show run sysopt no sysopt connection permit-vpn

Overview of Network Access Manager (NAM)

AnyConnect 3.0 Network Access ManagerHighlights

Intelligently detects and selects best layer 2 access network(s)

Automatically connects to configured networks. Automates user-experience.

Wired is preferred over WiFi in automatic mode.

Override with manual mode. One connection at a time

All other connections are blocked Post-connection script launch:

Script runs on user context Can be defined by admin or user (if allowed)

Enterprise-class Server Validation Multiple validation rules per connection

Remote desktop support Extend User Connection beyond Logoff

AnyConnect 3.0 Network Access ManagerUser Interface

Network tile: Available when NAM is installed, inactive when service is disabled.

Network Selection (Combo) Box: Configured Networks (bold face) Scan-list Signal strength and security indicators Allows user to add new network profiles Connection mode: automatic vs. manual override.

Network State Information: Indicates authentication progress Connected state shows IP address

Disable Wi-Fi button: Turns radio off Transmit power is set to zero

Network Access Manager Configuration Supports these main features: Wired (IEEE 802.3) and wireless (IEEE

802.11) network adapters Pre-login authentication using Windows

machine credentials Single sign-on user authentication using

Windows logon credentials Simplified and easy-to-use IEEE 802.1X configuration IEEE MACsec wired encryption and enterprise policy control EAP methods: EAP-FAST, PEAP, EAP-TTLS, EAP-TLS, and LEAP (EAP-MD5, EAP-GTC, and EAP-MSCHAPv2 for IEEE 802.3 wired only)

NAM Statistics

Message History

Main Status Overview Screen

IKEv2 Support

IPSec IKEv2 Support IKEv2 support uses Ciscos IKEv2 implementation:

IKEv2 toolkit is common in client, ASA and IOS Standards-based implementation Includes a few extensions (fragmentation, redirect) Same authentication methods supported previously with SSL VPN Uses proprietary EAP method (AnyConnect EAP)

Some AnyConnect features require a parallel SSL connection:

CSD HostScan Profile updates Language/Customization Application upgrades SCEP

Windows 7 IKEv2 client or any other 3rd-party IKEv2 client HW client support for IKEv2 (5505 as a head-end/Secure Gateway using

IKEv2 is supported) Pre-shared-key authentication for client or server IKEv2 encryption for load-balancing link to other ASAs cTCP, L2TP Re-authentication Peer ID check Compression/IPcomp NAC 3rd party firewall configuration IPv6 (any form of IPv6 that is, IPV6-over-IPv4, IPv6-over-IPv6,etc)

Not Supported in IKEv2

Quick Configuration Notes

crypto ikev2 policy 1 encryption aes-256 integrity sha group 2 prf sha lifetime seconds 86400

crypto ikev2 policy 10 encryption aes-192 integrity sha group 2 prf sha lifetime seconds 86400

New IKEv2 Policies

Quick Configuration Notes (cont.)

crypto ikev2 remote-access trust-point my-ikev2-trustpoint

crypto ikev2 enable outside

crypto ikev2 cookie-challenge 50

crypto ikev2 limit max-sa 100

ikev2 remote-authentication certificate my-ikev2-trustpoint

Other IKEv2 Specific Commands

More Configuration Tips and Examples at: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html

IKEv2 Debug Commands

Debugs ASA processing of IKEv2, not protocol specific exchanges. This debug is useful for AAA and session management issues. Also to troubleshoot the ASA cryptographic module performing encryption and decryption.

debug crypto ikev2 platform

Debugs IKEv2 protocol specific exchanges. debug crypto ikev2 protocol

Debugs IKEv2 timer expiration. Useful when clients are complaining that their connection is being timed-out too often.

debug crypto ikev2 timer

Note: debug crypto ike-common can be used for both IKEv1 and IKEv2

Using DART

Using DART to Gather Troubleshooting Info DART is the AnyConnect Diagnostics and Reporting Tool that you can use to collect data useful for troubleshooting AnyConnect installation and connection problems.

1

To Launch DART go to the Status Overview Tab and click on Diagnostics

DART Wizard Under Bundle Creation Option, select Default or Custom. The Default option includes the typical log files and diagnostic information. DARTBundle.zip is saved to the local desktop. If you choose Custom, the DART wizard allows you to specify where and what files want to include in the bundle.

2 3

DART Wizard (continued)

3 4

DART BUNDLE SUMMARY Username: unknown (user is offline, or username was not specified in Request) Time: Tue Apr 05 17:12:17 2011 OS: Win7 : WinNT 6.1.7600 OS username: omar Upload URL: None (offline mode) DART Mode: User-Initiated/Offline Mode Bundle on client computer: C:\Users\omar\Desktop\DARTBundle_0405_1353.zip

============================================================================================================================================= Cisco AnyConnect Secure Mobility Client: Files Included in Bundle: ID Filename Description Truncate? Final Size Orig. Size ---------------------------------------------------------------------------------------------------------------------------- ac-install update_pre3.0.txt AnyConnect install logs. Includes web No 10 bytes 10 bytes and standalone install logs ac-install anyconnect-win-2.3.0254-web AnyConnect install logs. Includes web No 322.35K 322.35K -deploy-k9-install-22203701 and standalone install logs 062010.log ac-install update.txt AnyConnect install logs. Includes web No 10 bytes 10 bytes and standalone install logs ac-install VPNManifest.dat AnyConnect install logs. Includes web No 181 bytes 181 bytes and standalone install logs ac-install AnyConnectLocalPolicy.xml AnyConnect install logs. Includes web No 589 bytes 589 bytes and standalone install logs ac-install UpdateHistory_20110405_1244 AnyConnect install logs. Includes web No 705 bytes 705 bytes 00_log.txt and standalone install logs ac-logs AnyConnect_pre3.0.txt AnyConnect application logs No 3.62M 3.62M ac-logs AnyConnect.txt AnyConnect application logs No 227.40K 227.40K ac-logs AnyConnect.evtx AnyConnect application logs No 1.06M 1.06M ac-profile CALO.xml AnyConnect Profile No 1.46K 1.46K ac-profile AnyConnectProfile.xsd AnyConnect Profile No 93.22K 93.22K global-preferenc preferences_global.xml AnyConnect Global Preferences No 546 bytes 546 bytes es user-preferences preferences.xml AnyConnect User Preferences No 590 bytes 590 bytes va-runtime setupapi.app.log Virtual Adapter runtime logs No 320.88K 320.88K va-runtime setupapi.dev.log Virtual Adapter runtime logs No 9.70M 9.70M ---------------------------------------------------------------------------------------------------------------------------- MANY, MANY, MANY, MANY more

DART Bundle Files

Troubleshooting Split Tunneling

Split Tunneling Introduction

Split tunneling lets you specify that certain data traffic is encrypted, while the remainder is sent in the clear (unencrypted). Split-tunneling network lists distinguish networks that require traffic to go through the tunnel from those that do not require tunneling. The ASA makes split-tunneling decisions based on a network list, which is an ACL consisting of a list of addresses on the private network.

Troubleshooting Split Tunneling Step 1. Ask your user to go to Route Details and check if the split tunneling list/routes are there:

Troubleshooting Split Tunneling (cont.)

Step 2. If your users client does not have the correct routes, check that your ASA has the correct access lists for split tunneling for the group the user is connecting.

Step 3. Enable debug webvpn svc and look for the following messages:

SVC ACL Name: NULL SVC ACL ID: -1 SVC ACL ID: -1

If you see those messages, the split tunneling information is NOT being sent to the client.

Troubleshooting Trusted Network Detection

SaaS Single Sign On

Internal Users

Remote Users Threat Protection

Anti-Phishing

Data Loss Prevention

Visibility Via Unified Reporting

Anywhere, Any Device Connectivity

User Authentication and Access Control

Web Single Sign-On for SaaS Apps SaaS Security

Identity Traversal Via Existing Network Cisco SaaS Access Control

AnyConnect Secure Mobility Client

Internet bound web communications

Internal communications

Always On Security w/ScanSafe New in AnyConnect 3.0

ScanSafe

Persistent Security and Policy Enforcement

ASA WSA Authentication handoff (SSO) Identity and location aware

policy enforcement

Location-aware reporting

AnyConnect Always-on VPN (admin

configurable)

Optimal head end auto-detect Transparent auth (certificate)

Cisco Web Security Appliance

Corporate AD

ASA

News Email

Social Networking Enterprise SaaS

Internet

User Authenticates

User Identity facebook.com

Untrusted Network

Trusted Network

Always-On VPN

WCCP

Trusted Network Detection AnyConnect automatically disconnects a VPN connection when the user is inside the corporate network (the trusted network) and start the VPN connection when the user is outside the corporate network (the untrusted network).

This feature encourages greater security awareness by initiating a VPN connection when the user is outside the trusted network.

NOTE: Because the TND feature controls the AnyConnect client GUI and automatically initiates connections, the GUI should run at all times.

Trusted Network Detection You configure TND in the AnyConnect profile (AnyConnectProfile.xml) .

No configuration is needed on the ASA.

The following text shows the Client Initialization section of the profile file with the TND parameters configured:

true *.cisco.com 10.44.124.*,10.102.6.247 Disconnect Connect

Configuring Mobile User Security (MUS)

asa(config)# webvpn asa(config-webvpn)# mus 10.10.10.0 255.255.255.0 inside asa(config-webvpn)# mus password th1s!sap4sswd asa(config-webvpn)# mus server enable 960 (The default port is 610) asa(config-webvpn)# mus host mus.cisco.com

MUS is a "solution" which provides an "always-on" SSL VPN connection from a mobile user to the ASA, which then directs the traffic to one or more WSAs for content filtering.

Debuging MUS Connections

asa# Listening WSA on 11999 MUS:timeout: Last update started 0; Next check in 5 MUS:timeout: Last update started 0; Next check in 5 MUS:timeout: Last update started 0; Next check in 5

debug webvpn mus

ciscoasa(config)# show webvpn mus No active WSA connections

show webvpn mus

Mobile User Security Routing Problems

Internet outside inside

management

209.165.200.224/27

Client (AnyConnect)

192.168.1.0/24

10.10.10.0/24

.254

.254 .225

Management (ASDM)

.123 Web Security Appliance (WSA)

Tunnel Default Gateway

route inside 0.0.0.0 0.0.0.0 10.10.10.123 tunneled

One of the common problems in MUS implementations is routing issues due to misconfigured or lack of the tunnel default gateway.

AnyConnect Telemetry

Introduction to the AnyConnect Telemetry Module

The AnyConnect telemetry module for AnyConnect Secure Mobility Client sends information about the origin of malicious content to the web filtering infrastructure of the Cisco IronPort Web Security Appliance (WSA).

The web filtering infrastructure uses this data to strengthen its web security scanning algorithms, improve the accuracy of the URL categories and web reputation database, and ultimately provide better URL filtering rules.

AnyConnect Telemetry Module Capabilities

The AnyConnect telemetry module performs these functions:

Monitors the arrival of content on the endpoint.

Identifies and records the origin of any content received by the endpoint whenever possible.

Reports detection of malicious content, and its origin to Cisco's Threat Operations Center.

Checks the ASA every 24 hours for an updated Host Scan image. If there is an updated Host Scan image available, it pulls down the image to the endpoint.

Important Files During Troubleshooting

actsettings.xml Installed on the endpoint at: %ALLUSERSPROFILE%\Application Data \Cisco\Cisco AnyConnect Secure Mobility Client \Telemetry

File contains the base configuration for Telemetry.

telemetry_profile.tsp The name of this file is specified by the ASA administrator. Stored on the ASA. Its location is specified on the client profile screen (ASDM): Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile

All elements defined in this file overwrite those in the actsettings.xml file.

AnyConnect SSL VPN Lab

AnyConnect IPv6 Support

Topology: Example 1

Internet outside inside

209.165.200.224/27

Client (AnyConnect)

IPv4 IPv6 Corporate Network

The SSL VPN Tunnel must be terminated using IPv4. The client is then assigned an IPv6 address in order to pass IPv6 traffic over the SSL tunnel.

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92

IPv6 Support in AnyConnect Client

.

The ASA does not support IPv6 addresses for split tunneling

The local print feature does not support IPv6 printers.

Client firewall does not support IPv6 devices on the local network

2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93

Cisco ASA Configuration: IPv6 Pool

Configuration on the ASA is very simple:

Create an IPv6 Pool in the Cisco ASA for the AnyConnect Client Connections.

Enter the Starting IP Address, Prefix Length and Number of IPv6 Addresses to be assigned.

The assigned IPv6 address will be shown under the Statistics tab.

IPv6 Assigned Address

IPv6 AnyConnect Lab

Thank you.