The following experts helped Jazib answer a few of the questions asked during the session: Omar Santos, James Cline, and Larry Edie. Omar and Larry are top security experts and have vast knowledge in security topics.
A. You cannot customize the word "password" with the word "token" being displayed to the end user. The reason why we enable double authentication is because many customers wanted to use the 2 factor authentication, such as SDI or token based authentication, and internal authentication database such as Active Directory (AD). This is why when we stated this, it is assumed that users will be using SDI. Therefore, two options are given: token or passcode. I do not think there is an option to do this in the current version. However, it is a good point. For example, when you are using AD or RADIUS for authentication databases and you want token or passcode written on it. We can possibly work with BU for enhancement and get it done. For more information on customization options, refer to
A. The capture command captures both local users and users that are being authenticated with an external authentication server (such as RADIUS, SDI, etc.). For more information, refer to
A. Some of the debug levels are very well defined from the different level perspectives. However, a lot of debugs are not as defined from each level perspective, such as what are the messages you are supposed to get, or what are the messages you expect at each level. Depending on what debug you are using, I would say a general safe option. For example, if you enable to debug 251, what if that debug 255 shows you the decoded packets and you expect that you might just crash your system because you get so much debug at a packet level that you will not be able to sustain. Therefore, the safest option is around 127 because once you have debug 127 enabled, it chooses enough messages and enough details to take it to the next level. If it says it is failing because of this and is still not sure, you can increase the debugs. However, it is not recommended to enable debug 255 unless you know what you are expecting. If you do not know what output you might receive, then start with level 127.
The debug command output is assigned high priority in the CPU process(es) in the ASA, and these can cause performance issues in busy networks. For this reason, it is recommended to use debug commands only to troubleshoot specific problems or during troubleshooting sessions with the Cisco Technical Support staff. You might want to start by enabling the debugs with low levels (for example, default vs. level 255). There is no "one-size fits all" value for every debug because each has a different amount of data/output being displayed. On the other hand, the recommendation is to start with a low value (or even something such as 125) and work your way up based on the amount of output, and the need during troubleshooting.
A. It is best to get a DART file from the machine and work with the Technical Assistance Center (TAC).
A. You can only have one domain name for resolution, but you can have multiple domain names for split tunneling. For example:
split-dns value Domain1 Domain2 Domain3 Domain4.
A. We are updating our ASA book with more information, including ASA version 9.0.
A. Yes, you can use the AnyConnect client with a VPN tunnel to allow an IP Communicator to connect.
A. There are several things that can cause voice clarity issues. Check for latency and jitter. Also, make sure the connection is using DTLS. DTLS uses UDP instead of TCP and is faster for voice. One other thing is to use g729 compression.
A. For DTLS configuring, refer to this configuration guide:
A. Yes, DTLS is UDP based and is much faster. Cisco recommends it for voice over a VPN connection.
A. Yes, clientless SSL can be used for RDP. You have to install a server side plug-in. There are three types of plug-ins available that you can download from Cisco's website. These are: plug-in for RDP, plug-in for VNC, and plug-in for SSH Telnet. Once you download and install the plug-ins in ASA, then you can use the RDP. If you are not choosing the plug-ins and want to tunnel the traffic, the second option is to use thin client with smart tunnel options and port forwarding.
A. It is slated for a future release. I am not aware of a date yet.
A. It is possible to use FQDN for certificates.
A. Yes, at the moment you can certainly send the IPv6 traffic over the SSL tunnel. However, the restriction is that it terminates the IPv4 tunnels. For example, in a way it is encapsulating v6 traffic over v4 so your slot indicates to the head and you are still pushed down. In summary, your client is encapsulating v6 traffic over v4 traffic in a tunnel. In v6 perspective, you should be able to communicate end to end.
A. Bookmarks are used to link clientless users to internal servers via the clientless VPN tunnel. These are similar to bookmarks/favorites in your web browser. However, they tunnel the traffic through the ASA. Refer to the clientless configuration guide at:
For sample clientless configurations, refer to http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html.
A. ASDM is easier when configuring bookmark templates. In certain scenarios, such as DAP, you cannot use the CLI to configure SSL VPN options/features.
A. The bookmarks are stored in the xml file on the flash.
A. The only way you can add bookmarks from the CLI is by manually creating an xml file and uploading.