Jazib Frahim (CCIE 5459) is a Technical Leader in World Wide Security Services Practice of Cisco Advanced Services for Network Security. Previously, he was a Technical Leader for the Cisco TAC Security team and led engineers in resolving complicated Security and VPN technologies. He holds two CCIE certifications: one in Routing and Switching, and one in Security. He has presented via Cisco Live on multiple occasions, and has written numerous technical documents and books. These include Cisco ASA: All-in-Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance (1st and 2nd Edition); Cisco Network Admission Control, Volume 2 and Cisco SSL VPN Solutions.
The following experts helped Jazib answer a few of the questions asked during the session: Omar Santos, James Cline, and Larry Edie. Omar and Larry are top security experts and have vast knowledge in security topics.
You can download the slides of the presentation in PDF format here. The related Ask The Expert session is available here. The Complete Recording of this live Webcast can be accessed here.
Q. With double authentication, we end up with two fields on the AnyConnect client called 'Password'. Can we customize this to 'token' or 'passcode' if we use another RADIUS based authentication method instead of using SDI?
A. You cannot customize the word "password" with the word "token" being displayed to the end user. The reason why we enable double authentication is because many customers wanted to use the 2 factor authentication, such as SDI or token based authentication, and internal authentication database such as Active Directory (AD). This is why when we stated this, it is assumed that users will be using SDI. Therefore, two options are given: token or passcode. I do not think there is an option to do this in the current version. However, it is a good point. For example, when you are using AD or RADIUS for authentication databases and you want token or passcode written on it. We can possibly work with BU for enhancement and get it done. For more information on customization options, refer to
Q. Can I have reference information for different debug levels, for example, debug webvpn <1, 7, 255>?
A. Some of the debug levels are very well defined from the different level perspectives. However, a lot of debugs are not as defined from each level perspective, such as what are the messages you are supposed to get, or what are the messages you expect at each level. Depending on what debug you are using, I would say a general safe option. For example, if you enable to debug 251, what if that debug 255 shows you the decoded packets and you expect that you might just crash your system because you get so much debug at a packet level that you will not be able to sustain. Therefore, the safest option is around 127 because once you have debug 127 enabled, it chooses enough messages and enough details to take it to the next level. If it says it is failing because of this and is still not sure, you can increase the debugs. However, it is not recommended to enable debug 255 unless you know what you are expecting. If you do not know what output you might receive, then start with level 127.
The debug command output is assigned high priority in the CPU process(es) in the ASA, and these can cause performance issues in busy networks. For this reason, it is recommended to use debug commands only to troubleshoot specific problems or during troubleshooting sessions with the Cisco Technical Support staff. You might want to start by enabling the debugs with low levels (for example, default vs. level 255). There is no "one-size fits all" value for every debug because each has a different amount of data/output being displayed. On the other hand, the recommendation is to start with a low value (or even something such as 125) and work your way up based on the amount of output, and the need during troubleshooting.
Q. Recently, the server admin pushed McAfee firewall to client machines. Since then the user machines crash when they start AnyConnect and try to access internal websites. How can I identify the source of the problem using the AnyConnect troubleshooting tools?
A. It is best to get a DART file from the machine and work with the Technical Assistance Center (TAC).
Q. Can you have multiple domains listed for resolution by the client? For example, the internal domains include both abc.com and def.com. Can these be set up as comma delimited with the policy?
A. You can only have one domain name for resolution, but you can have multiple domain names for split tunneling. For example:
split-dns value Domain1 Domain2 Domain3 Domain4.
Q. What is the best book to get in order to receive more troubleshooting information?
A. We are updating our ASA book with more information, including ASA version 9.0.
SSL VPN Related Questions
Q. Can we use an IP Communicator with SSL VPN?
A. Yes, you can use the AnyConnect client with a VPN tunnel to allow an IP Communicator to connect.
Q. I configured an IP Communicator with SSL VPN, but the voice is not clear. Why?
A. There are several things that can cause voice clarity issues. Check for latency and jitter. Also, make sure the connection is using DTLS. DTLS uses UDP instead of TCP and is faster for voice. One other thing is to use g729 compression.
Q. Is there a document that details how to configure the DTLS?
A. For DTLS configuring, refer to this configuration guide:
Q. Is it recommended to use DTLS for the IP Communicator under SSL VPN?
A. Yes, DTLS is UDP based and is much faster. Cisco recommends it for voice over a VPN connection.
Q. Can the clientless SSL be used for RDP?
A. Yes, clientless SSL can be used for RDP. You have to install a server side plug-in. There are three types of plug-ins available that you can download from Cisco's website. These are: plug-in for RDP, plug-in for VNC, and plug-in for SSH Telnet. Once you download and install the plug-ins in ASA, then you can use the RDP. If you are not choosing the plug-ins and want to tunnel the traffic, the second option is to use thin client with smart tunnel options and port forwarding.
Q. When will ASA support SSL VPN in multiple context mode?
A. It is slated for a future release. I am not aware of a date yet.
Q. When we are looking at SSL VPN and certificates, is it possible to use the FQDN for access restriction so that the FQDN refers to an access-list or a policy?
A. It is possible to use FQDN for certificates.
Q. Do we support IPv6 traffic over SSL VPN tunnel?
A. Yes, at the moment you can certainly send the IPv6 traffic over the SSL tunnel. However, the restriction is that it terminates the IPv4 tunnels. For example, in a way it is encapsulating v6 traffic over v4 so your slot indicates to the head and you are still pushed down. In summary, your client is encapsulating v6 traffic over v4 traffic in a tunnel. In v6 perspective, you should be able to communicate end to end.
Bookmarks Related Questions
Q. What is a bookmark on configuring clientless VPN?
A. Bookmarks are used to link clientless users to internal servers via the clientless VPN tunnel. These are similar to bookmarks/favorites in your web browser. However, they tunnel the traffic through the ASA. Refer to the clientless configuration guide at:
Anyone know how to renew an expired trustsec PAC on ISE? I'm asking this because we can't SSH into our switches any more. W keep getting "expired PAC" when trying to log in. When we check ISE, we see that the PAC expired for quite a while ago. Check the a...
as I see in the datasheet of Cisco ESA. C195 support Small to midsize businesses or branch offices. I can not see any information that this model support how many users (employee). Does anyone have this information? Please help me.
Thank you very ...
We've setup a temporary FMC on Google cloud to migrate from 5525 ASA to Firepower FTD, the configuration has been migrated successfully via the migration tool. However, we are unable to deploy the policies onto the FTD. Please see the atta...
I've been asked to gather documentation that proves that automatic snort downloads that are scheduled are checked via FMC prior to being downloaded. They are asking to see if the hash is checked prior to installing the new .vrt file into FMC. Can anyone p...