AnyConnect Secure Mobility Client Software Frequently Asked Questions

smallbusiness · ‎08-18-2017

Article ID:5467

Objective

This article contains the frequently asked questions in setting up, configuring, and troubleshooting the Cisco AnyConnect Secure Mobility Client and their answers.

Frequently Asked Questions

Product Features

1. What is the Cisco AnyConnect Secure Mobility Client?

The Cisco AnyConnect Secure Mobility Client, also known as the Cisco AnyConnect VPN Client, is a software application for connecting to a Virtual Private Network (VPN) that works on various operating systems and hardware configurations. This software application makes it possible for remote resources of another network become accessible as if the user is directly connected to his network, but in a secure way. Cisco AnyConnect Secure Mobility Client provides an innovative new way to protect mobile users on computer-based or smart-phone platforms, providing a more seamless, always-protected experience for end users and comprehensive policy enforcement for IT administrator.

2. What are the advantages of using the Cisco AnyConnect Secure Mobility Client?

The Cisco AnyConnect Secure Mobility Client has the following advantages:

Secure and persistent connectivity
Persistent security and policy enforcement
Deployable from the Adaptive Security Appliance (ASA) or from Enterprise Software Deployment Systems
Customizable and translatable
Easily configured
Supports both Internet Protocol Security (IPsec) and Secure Sockets Layer (SSL)
Supports Internet Key Exchange version 2.0 (IKEv2.0) protocol

3. What are the main features of the Cisco AnyConnect Secure Mobility Client?

The Cisco AnyConnect Secure Mobility Client has the following main features:

Core Features
Connect and Disconnect Features
Authentication and Encryption Features
Interfaces

To know more about the details of minimum release requirements, license requirements, and supported operating systems of each of this features, click here.

License Options

4. What are the licenses that may be required for the deployment of AnyConnect Secure Mobility Client?

One or more of the following AnyConnect licenses may be required for your deployment:

AnyConnect Plus — Supports basic AnyConnect features such as VPN functionality for PC and mobile platforms (AnyConnect and standards-based IPsec Internet Key Exchange version 2 (IKEv2) software clients), Federal Information Processing Standard (FIPS), basic endpoint context collection, 802.1x Windows supplicant, and web security Secure Sockets Layer (SSL) VPN. Plus licenses are most applicable to environments previously served by the AnyConnect Essentials license and users of Cisco Identity Services Engine (ISE) posture, Network Access Manager, or Web Security modules.
AnyConnect Apex — Supports all basic AnyConnect Plus features in addition to advanced features such as clientless VPN, VPN posture agent, unified posture agent, Next Generation Encryption or Suite B, Security Assertion Markup Language (SAML), all plus services and flex licenses. Apex licenses are most applicable to environments previously served by the AnyConnect Premium, Shared, Flex, and Advanced Endpoint Assessment licenses.
VPN Only (Perpetual) — Supports VPN functionality for PC and mobile platforms, clientless (browser-based) VPN termination on Adaptive Security Appliance (ASA), VPN-only compliance and posture agent in conjunction with ASA, FIPS compliance, and next-generation encryption (Suite B) with AnyConnect and third-party IKEv2 VPN clients. VPN only licenses are most applicable to environments wanting to use AnyConnect exclusively for remote access VPN services but with high or unpredictable total user counts. No other AnyConnect function or service (such as Web Security module, Cisco Umbrella Roaming, ISE Posture, Network Visibility module, or Network Access Manager) is available with this licensee.

Support

5. What are the modules that the Cisco AnyConnect Secure Mobility Client support?

The Cisco AnyConnect Secure Mobility Client supports the following modules:

Hostscan and Posture Assessment
ISE Posture
Web Security
AMP Enabler
Network Visibility Module
Umbrella Roaming Security Module
Reporting and Troubleshooting Modules

To know more about the details of minimum release requirements, license requirements, and supported operating systems of these modules, click here.

6. What operating systems are supported by the Cisco AnyConnect Secure Mobility Client?

The Cisco AnyConnect Secure Mobility Client supports the following Operating Systems:

Windows 10 x86 (32-bit) and x64 (64-bit)
Windows 8.1 x86 (32-bit) and x64 (64-bit)
Windows 8 x86 (32-bit) and x64 (64-bit)
Windows 7 SP1 x86 (32-bit) and x64 (64-bit)
Mac OS X 10.10, 10.11, and 10.12
Linux Red Hat 6 (64-bit)
Ubuntu 12.04 (LTS), 14.04 (LTS), 16.04 (LTS) (all 64-bit)

To know more about the AnyConnect Support for each Operating System, click here.

7. Does Cisco AnyConnect Secure Mobility Client support Apple iOS devices?

Yes.

8. What Apple iOS devices are supported by Cisco AnyConnect Secure Mobility Client?

The following Apple iOS devices are supported:

Device	Apple iOS Release Required
iPad Air	7.0 or later
iPad 2	6.0 or later
iPad (3rd generation)	6.0 or later
iPad (4th generation)	6.0 or later
iPad mini	6.0 or later
iPad mini (with Retina display)	7.0 or later
iPad-Pro	9.0 or later
iPhone 3GS	6.0 - 6.1.6
iPhone 4	6.0 - 7.1.2
iPhone 4S	6.0 or later
iPhone 5	6.0 or later
iPhone 5C	7.0 or later
iPhone 5S	7.0 or later
iPhone 6	8.0 or later
iPhone 6 Plus	8.0 or later
iPhone 6s	9.0 or later
iPhone 6s Plus	9.0 or later
iPod Touch (4th generation)	6.0 - 6.1.6
iPod Touch (5th generation)	6.0 or later

To know about the features supported in AnyConnect for Apple iOS devices, click here.

9. Does Cisco support AnyConnect VPN access to Cisco IOS?

Cisco supports AnyConnect VPN access to IOS Release 15.1(2)T functioning as the secure gateway; however, IOS Release 15.1(2)T does not currently support the following AnyConnect features:

Post Log-in Always-on VPN
Connect Failure Policy
Client Firewall providing Local Printer and Tethered Device access
Optimal Gateway Selection
Quarantine
AnyConnect Profile Editor

10. Does Cisco AnyConnect Secure Mobility Client support Android devices?

Yes.

11. What Android devices are supported by the Cisco AnyConnect Secure Mobility Client?

All Android devices that have Android 4.0 (Ice Cream Sandwich) and later.

Installation

12. Is AnyConnect weblaunch installation supported on 64-bit browsers (IE - Internet Explorer)?

AnyConnect installation via weblaunch is not supported on 64-bit IE browsers.

13. What level of rights is required to install the Cisco AnyConnect Secure Mobility Client?

Administrative level privilege is required to install the Cisco AnyConnect Secure Mobility Client but only for initial installation.

14. Do I need to reboot my system after installing or upgrading the Cisco AnyConnect Secure Mobility Client?

No. Unlike the IPSec VPN Client, a reboot is not necessary after the installation or an upgrade.

15. Is it possible to save the password credentials on AnyConnect so that it will not request authentication again the next time?

No, it is not possible to save the password credentials on AnyConnect.

Compatibility

16. What Interoperability Considerations should I keep in mind before installing the Cisco AnyConnect Secure Mobility?

Coexistence of ISE and ASA Headends
If you are using both ISE and ASA for client posture, the profiles must match on both headends.
AnyConnect ignores the ISE 1.3 server if Network Access Control (NAC) Agent is provisioned for the endpoint.
If the Cisco NAC agent and the VPN Posture (HostScan) module are both installed on a client, the Cisco NAC agent must be at least version 4.9.4.3 or later to prevent posture conflicts.
The NAC Agent ignores the ISE 1.3 server if AnyConnect is provisioned for the endpoint in ISE.

17. What are the known third party applications that conflict with the Cisco AnyConnect Secure Mobility?

The following third-party applications have known complications with Cisco AnyConnect Secure Mobility Client:

Adobe and Apple — Bonjour Printing Service

– Adobe Creative Suite 3

– Bonjour Printing Service

– iTunes

AT&T Communications Manager Versions 6.2 and 6.7

– AT&T Sierra Wireless 875 card

AT&T Global Dialer
Citrix Advanced Gateway Client Version 2.2.1
Firewall Conflicts

– Third-party firewalls can interfere with the firewall function configured on the ASA group policy.

Juniper Odyssey Client
Kaspersky AV Workstation 6.x
McAfee Firewall 5
Microsoft Internet Explorer 8
Microsoft Routing and Remote Access Server
Microsoft Windows Update
OpenVPN client
Load balancers
Wave EMBASSY Trust Suite
Layered Service Provider (LSP) Modules and NOD32 AV
EVDO Wireless Cards and Venturi Driver
DSL routers
CheckPoint and other Third-Party Software such as Kaspersky
Virtual Machine Network Service Drivers

18. Can AnyConnect co-exist with IPSec and/ or SSL VPN clients from other vendors on the same PC?

Yes. But the following general rules apply to all AnyConnect versions:

The AnyConnect client should work fine if the other vendor products are disabled and the following should NOT be done:

Install a Winsock LSP that remains active when the 3rd party software is not running.
Install a local http proxy that remains active when the 3rd party software is not running.
Installs any drivers that continue to intercept traffic when the 3rd party software is not running.
Additionally, any restrictions that are done to the MTU of the physical interface could result in performance degradation.

Basic Troubleshooting

19. When AnyConnect attempts to establish a connection, it authenticates successfully and builds the SSL session, but then the AnyConnect client crashes in the vpndownloader if using LSP or NOD32 AV. What should I do?

Remove the Internet Monitor component in version 2.7 and upgrade to version 3.0 of ESET NOD32 AV.

20. I am using an AT&T Dialer and the client operating system sometimes experiences a blue screen that causes the creation of a mini dump file. What should I do?

Upgrade to the latest 7.6.2 AT&T Global Network Client.

21. When Kaspersky 6.0.3 is installed (even if disabled), AnyConnect connections to the ASA fail right after CSTP state = CONNECTED and the following message appears: “SVC message: t/s=3/16: Failed to fully establish a connection to the secure gateway (proxy authentication, handshake, bad cert, etc.).”

Uninstall Kaspersky and refer to their forums for additional updates.

22. When using McAfee Firewall 5, a UDP DTLS connection cannot be established.

In the McAfee Firewall central console, choose Advanced Tasks > Advanced options and Logging and uncheck the Block incoming fragments automatically check box in McAfee Firewall.

23. I am using RRAS, the following termination error is returned to the event log when AnyConnect attempts to establish a connection to the host device: “Termination reason code 29 [Routing and Remote Access service is running] The Windows service “Routing and Remote Access” is incompatible with the Cisco AnyConnect VPN Client. “

Disable the RRAS service.

24. What should I do if the connection fails due to lack of credentials?

The third-party load balancer has no insight into the load on the ASA devices. Because the load balance functionality in the ASA is intelligent enough to evenly distribute the VPN load across the devices, we recommend using the internal ASA load balancing instead.

25. The AnyConnect client fails to download and produces the following error message: “Cisco AnyConnect VPN Client Downloader has encountered a problem and needs to close.”

Upload the patch update to version 1.2.1.38 to resolve all dll issues.

26. I am using Bonjour Printing Services, the AnyConnect event logs indicate a failure to identify the IP forwarding table.

Disable the Bonjour Printing Service by entering net stop “bonjour service” at the command prompt. A new version of mDNSResponder (1.0.5.11) has been produced by Apple. To resolve this issue, a new version of Bonjour is bundled with iTunes and made available as a separate download from the Apple web site.

To know more about the Apple iOS known issues and limitations with Cisco AnyConnect Secure Mobility Client, click here. (link to Apple iOS Known Issues and Limitations article)

27. An error indicates that the version of TUN is already installed on this system and is incompatible with the AnyConnect client.

Uninstall the Viscosity OpenVPN Client.

28. What should I do if an LSP module is present on the client and a Winsock catalog conflict occurs?

Uninstall the LSP module.

29. I am connecting with a DSL router, and DTLS traffic fails even if it has successfully negotiated. What should I do?

Connect to a Linksys router with factory settings. This setting allows a stable DTLS session and no interruption in pings. Add a rule to allow DTLS return traffic.

30. When using AnyConnect on some Virtual Machine Network Service devices, performance issues have resulted. What should I do?

Uncheck the binding for all IM devices within the AnyConnect virtual adapter. The application dsagent.exe resides in C:\Windows\System\dgagent. Although it does not appear in the process list, you can see it by opening sockets with TCPview (sysinternals). When you terminate this process, normal operation of AnyConnect returns.

To know more about other issues and troubleshooting tips to resolve them, click here.