01-14-2011 10:14 AM - edited 08-24-2017 12:22 AM
Vikas Saxena is a Customer Support Engineer at the Cisco Technical Assistance Center Security and VPN team in India. He also holds the CCIE Security certification: CCIE #19971.
This document contains the answers provided for the questions asked during the live "Ask the Expert" Webcast session on the Topic - AnyConnect: Configuration and Troubleshooting.
The series of Ask The Expert sessions is available in the Ask The Expert section of Cisco Support Community.
The Complete Recording of this live Webcast is present below:
A. Usage of AnyConnnect Client is generally not Topology specific and it can be used in the scenarios where in one would need to tunnel all traffic via SSL. Any communication to internal network form Outside is a common practice where in one would use AnyConnect.
A. The underlying protocol used by the client are different, IPSec client will use IKE where AnyConnect will use SSL encryption. There is difference in the compatibility with OS ( support in vista both 32 and 64 bit, win XP, win 2k, MAC OS X, and RED HAT linux version 9 or higher ) , wherein it is required to install the package initially or pushed from ASA, and no admin privilege are required subsequently, hence less admin overheads required for installing and maintaining IPSec Client.
A. We will have to check the configuration from the ASA. However, the common issue will be that SVC protocol is not enabled in the group-policy
A. With clientless there is no ip address assigned from the head end ASA and the traffic is proxied via the ASA, and ip address is assigned from the pool with AnyConnect and hence it has features of IPSec client. Hence AnyConnect will have full tunneling features, unlike clientless vpn. Clientless support both a browser-based (no client) and thin-client (port-forwarding, Smart-Tunnels)
A. I am not able to find end to end config example, Here is the ACS 5.1 user guide that talks about it:- http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1138165. Basically, we do a lookup for user group and map it to access policies and under the access policy, send the class attribute 25 with the group ppolicy name.
A. CA Server normally signs the Certificate Signing Request and same has be to imported or pasted in base64 as identity certificate. If external CA server like godaddy etc is used then they will go ahead and sign the request for you. If your own CA server is been used then, vendor documentation needs to be followed. Following link could be helpful for further understanding. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml.
Q. What could be the issues when configuring AnyConnect and site to site on same ASA?
A. There should not be any issues while configuring L2L and AnyConnect on a single ASA. We will suggest using different tunnel-group and group-policy to isolate the two.
A. No, the Certificates are automatically replicated to standby ASA in a A/S setup. Exception:Certificates replicated in PKCS12 format are not replicated due to bug ID CSCsr71150. The workaround is to Issue the command "write standby" on the active ASA and it will sync the configs and certs.
A. For AnyConnect VPN over Web TCP port 443 should be open (unless changed). If DTLS is used; ISP should also have the DTLS port to be opened on the path. By Default on ASA TLS and DTLS port are configured to 443.
A. VPN acceleration card is for IPSec client, and not for SSL clients. For IPSec client when used with hardware based encryption is used to offload CPU cycles, and faster processing of packets, unlike with software based encryption.
A. Most probably the IP address pool is not defined under AnyConnect Connection profile > Client address pool. Please check here.
A. This issue is being addressed under an Enhancement request. Please contact TAC for more details.
Q. Why LDAP and not RADIUS with a windows NPS policy server?
A. If I understand the question correctly, then AnyConnect to ASA and xauth from Windows NPS using Radius or LDAP. If this is correct then I don't see a reason why RADIUS should not work. Though I don't have a documentation on that right now, but this should work.
A. Refer to the following documentation: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml In case we still face issues with SBL, we will have to look into the DART bundle to identify the issue. Will suggest contacting TAC.
Q. Where can we find information about DART?
A. Here is the url with more info on DART : - http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac08managemonitortbs.html#wp1055965.
A. AnyConnect Essential License is for basic AnyConnect functionality, however, Premium license have advanced features (CSD, WebVPN, end point assessment etc) plus it also have base features provided by essential license. Therefore, once you enable premium licenses, essential license is overwritten.
A. The Cisco IPSec VPN Client version 3.x did not had the virtual adapter in it. This caused the protocols having the IP address configuration information in the payload (example FTP) to face several issues. In version 4.0 virtual adapter was introduced and this caused Split Tunneling to work fine. This also made troubleshooting easier as we were able to capture packets on the virtual adapter. The major advancement was the support for Windows Vista and Windows 7 (both 32 and 64 bit) Operating System. AnyConnect is considered as the major advancement in SSL VPN technology.
A. No. We cannot enable WebVpn with AnyConnect Essential license as the license is specific for AnyConnect only. You need to give the command AnyConnect essential on the WebVpn to disable WebVpn feature on the ASA.
A. Yes. Client Authentication is supported in SSL VPN including AnyConnect. Client Certificate is also supported. The ASA can check the Client Certificate and you can have the certificate maps as well. Similar to LDAP Map Certificate Map can also be created. The user who belongs to a department called sales will have the certificate with the OU as sales. This user is automatically binded to the sales group.
A. Qos on ASA is actually not regular QOS as you can't mark the traffic with the DSCP values.There are only 2 queues the Low Latency Queue(LLQ) and the Best Effort Queue(BEQ). We cannot mark traffic but we respect the marking already present on the traffic. Based on marking we can put the traffic to wither the LLQ or the BEQ..
A. Yes this can be done. This is not possible on AnyConnect Essential license but can be done using the Full AnyConnect license. You can also have the flexibility of using the Cisco Secure Desktop(CSD).
Miscellaneous
Q. Will the presentation be available for download or later review?
A. Yes, it will be available so that you can review and download. It will be on the Cisco Support Community https://supportforums.cisco.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: