[toc:faq]
Introduction
Vikas Saxena is a Customer Support Engineer at the Cisco Technical Assistance Center Security and VPN team in India. He also holds the CCIE Security certification: CCIE #19971.
This document contains the answers provided for the questions asked during the live "Ask the Expert" Webcast session on the Topic - AnyConnect: Configuration and Troubleshooting.
The series of Ask The Expert sessions is available in the Ask The Expert section of Cisco Support Community.
The Complete Recording of this live Webcast is present below:
AnyConnect
Q. Under what circumstances (in which topology) we should configure AnyConnect Client?
A. Usage of AnyConnnect Client is generally not Topology specific and it can be used in the scenarios where in one would need to tunnel all traffic via SSL. Any communication to internal network form Outside is a common practice where in one would use AnyConnect.
Q. What is the difference between Cisco VPN Client and AnyConnect VPN Client?
A. The underlying protocol used by the client are different, IPSec client will use IKE where AnyConnect will use SSL encryption. There is difference in the compatibility with OS ( support in vista both 32 and 64 bit, win XP, win 2k, MAC OS X, and RED HAT linux version 9 or higher ) , wherein it is required to install the package initially or pushed from ASA, and no admin privilege are required subsequently, hence less admin overheads required for installing and maintaining IPSec Client.
Q. I have AnyConnect configured but whenever I tried to connect it through web it connect as clientless VPN rather running AnyConnect profile. What could be issue?
A. We will have to check the configuration from the ASA. However, the common issue will be that SVC protocol is not enabled in the group-policy
Q. What is difference between Clientless and AnyConnect VPN client?
A. With clientless there is no ip address assigned from the head end ASA and the traffic is proxied via the ASA, and ip address is assigned from the pool with AnyConnect and hence it has features of IPSec client. Hence AnyConnect will have full tunneling features, unlike clientless vpn. Clientless support both a browser-based (no client) and thin-client (port-forwarding, Smart-Tunnels)
Q. We're running the ASA with IPSec-Client only and are now trying to add SSL Support. The group Policy should be taken upon LDAP-Group names. This should be done by Cisco ACS5.1. Is there any Configuration example on how to combine ASA,ACS and LDAP?
A. I am not able to find end to end config example, Here is the ACS 5.1 user guide that talks about it:- http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1138165. Basically, we do a lookup for user group and map it to access policies and under the access policy, send the class attribute 25 with the group ppolicy name.
Q. How can we download the identity certificate from certificate server?
A. CA Server normally signs the Certificate Signing Request and same has be to imported or pasted in base64 as identity certificate. If external CA server like godaddy etc is used then they will go ahead and sign the request for you. If your own CA server is been used then, vendor documentation needs to be followed. Following link could be helpful for further understanding. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml.
Q. What could be the issues when configuring AnyConnect and site to site on same ASA?
A. There should not be any issues while configuring L2L and AnyConnect on a single ASA. We will suggest using different tunnel-group and group-policy to isolate the two.
Q. Do I need a own certificate for each ASA in a A/S Cluster?
A. No, the Certificates are automatically replicated to standby ASA in a A/S setup. Exception:Certificates replicated in PKCS12 format are not replicated due to bug ID CSCsr71150. The workaround is to Issue the command "write standby" on the active ASA and it will sync the configs and certs.
Q. If i want to configure VPN over web what should i need to know?
A. For AnyConnect VPN over Web TCP port 443 should be open (unless changed). If DTLS is used; ISP should also have the DTLS port to be opened on the path. By Default on ASA TLS and DTLS port are configured to 443.
Q. How the vpn acceleration control (vac) using on vpn server side? what are the advantages?
A. VPN acceleration card is for IPSec client, and not for SSL clients. For IPSec client when used with hardware based encryption is used to offload CPU cycles, and faster processing of packets, unlike with software based encryption.
Q. I am getting error for AnyConnect No assigned address?
A. Most probably the IP address pool is not defined under AnyConnect Connection profile > Client address pool. Please check here.
Q. Why is the local CA not supported on ASA Cluster?
A. This issue is being addressed under an Enhancement request. Please contact TAC for more details.
Q. Why LDAP and not RADIUS with a windows NPS policy server?
A. If I understand the question correctly, then AnyConnect to ASA and xauth from Windows NPS using Radius or LDAP. If this is correct then I don't see a reason why RADIUS should not work. Though I don't have a documentation on that right now, but this should work.
Q. SBL won't function?
A. Refer to the following documentation: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml In case we still face issues with SBL, we will have to look into the DART bundle to identify the issue. Will suggest contacting TAC.
Q. Where can we find information about DART?
A. Here is the url with more info on DART : - http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac08managemonitortbs.html#wp1055965.
Q. Why is it not possible to use the Essential license and some premium licenses at the same time?
A. AnyConnect Essential License is for basic AnyConnect functionality, however, Premium license have advanced features (CSD, WebVPN, end point assessment etc) plus it also have base features provided by essential license. Therefore, once you enable premium licenses, essential license is overwritten.
Q. Could you sum up all the VPN Clients with a little bit of history up until now the latest version with differences in capability's?
A. The Cisco IPSec VPN Client version 3.x did not had the virtual adapter in it. This caused the protocols having the IP address configuration information in the payload (example FTP) to face several issues. In version 4.0 virtual adapter was introduced and this caused Split Tunneling to work fine. This also made troubleshooting easier as we were able to capture packets on the virtual adapter. The major advancement was the support for Windows Vista and Windows 7 (both 32 and 64 bit) Operating System. AnyConnect is considered as the major advancement in SSL VPN technology.
Q. Can I enable WebVpn with AnyConnect Essential License?
A. No. We cannot enable WebVpn with AnyConnect Essential license as the license is specific for AnyConnect only. You need to give the command AnyConnect essential on the WebVpn to disable WebVpn feature on the ASA.
Q. Is Client Authentication supported in SSL VPN?
A. Yes. Client Authentication is supported in SSL VPN including AnyConnect. Client Certificate is also supported. The ASA can check the Client Certificate and you can have the certificate maps as well. Similar to LDAP Map Certificate Map can also be created. The user who belongs to a department called sales will have the certificate with the OU as sales. This user is automatically binded to the sales group.
Q. Can we configure QoS for Remote VPN ,particularly for voice traffic?
A. Qos on ASA is actually not regular QOS as you can't mark the traffic with the DSCP values.There are only 2 queues the Low Latency Queue(LLQ) and the Best Effort Queue(BEQ). We cannot mark traffic but we respect the marking already present on the traffic. Based on marking we can put the traffic to wither the LLQ or the BEQ..
Q. Can I prevent certain users from unknown location or untrusted pc to be connected to a network?
A. Yes this can be done. This is not possible on AnyConnect Essential license but can be done using the Full AnyConnect license. You can also have the flexibility of using the Cisco Secure Desktop(CSD).
Miscellaneous
Q. Will the presentation be available for download or later review?
A. Yes, it will be available so that you can review and download. It will be on the Cisco Support Community https://supportforums.cisco.com
.
Related Information
With Marcin Latosiewicz 
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address and troubleshoot common problems with Adaptive Security Appliances, Private Internet Exchange and Firewall Service Modules with Kureli Sankar. Kureli is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software.
With Akhil Behl
