Hi, With AnyConnect 4.7, is it possible to apply an equivalent of the always on VPN “connection fail closed” policy to a Management Tunnel / User tunnel setup? I’ve been testing the new mgmt tunnel feature, and have found that in a captive portal negotiation scenario, a user is able to access the internet in between the VPN switching from management tunnel to user tunnel (when at user tunnel auth prompt). My requirement is to deploy a secure / always on / no split tunnel solution, with minimal user interaction hence the question. Always on VPN is the alternative, but presents user context complications (i.e, we don’t want to extend user beyond log off). Any ideas? Thanks.
... View more
Hi, I am evaluating AnyConnect v4.7 VPN for always on / remote access solution and the various security controls. From the documentation, it is not clear on how ”Connection Failed closed” mode with captive portal remediation functions in the network stack to deny access to web resources beyond a captive portal login page. I need to understand this from a client security perspective. From testing, when the feature is enabled and the client is behind captive portal... 1. It is possible to navigate to the captive portal 2. Once logged into a captive portal, if I cancel /disconnect the VPN connection it is not possible to browse the web via browser (browser shows unable to resolve IP). 3. It is possible to do dns lookups via command line when in this state. For Points 1 & 2, Can anyone provide info on how this works? - Does anyconnect track captive portal URL/IP/Packet TTL to only permit access to captive portal page (and ASA vpn gateway IP) For Point 3 - does anyconnect intercept DNS requests from the browser / WinINET to prevent the user from freely browsing? Any assistance would be greatly appreciated so I can understand how these features can protect our clients and understand any potential incompatibilities with other client software. Thanks
... View more
Agreed – I have a support call in progress with TAC around this and am feeding back through our Cisco AM, but I did find a way around it. I thought I’d see what happened it I used an IP in that range for the VM itself [as you do!]. If you re-image the appliance and give it an IP in the 172.16.0.0/16 range during the setup, the docker interface changes to 172.18.0.0 /16 and Atlas interface to 172.16.2.0 which was sufficient for me to start using it, but obviously not a good state to be in long term.
I could then change the IP back to what I needed it to be via the application network menu once it had been installed.
[bit of a hack as I had to use another box on the same L2 segment with a secondary IP address in the 172.16.0.0/16 subnet to gain access to the Satellite GUI ;-)]
Definitely has the whiff of a product that isn’t quiet finished…
... View more
I’ve deployed a SSM Satellite VM (v6.0) from the ISO as per the installation guide, however, I have noticed that there are a handful of static routes to IP prefixes in the appliances OS routing table that point to a “docker” network interface (these appeared out of the box).
Unfortunatey, these routes are preventing connectivity to devices I have in this range of prefixes - is there any way to change this range to something else?
I have put static routes in place on the box to get connectivity for a subnet within the range, but have no doubt this is/will break the application?
*the range is 126.96.36.199, which seems a little short sighted to me!!!
Any help is appreciated!
... View more
Hi Marcus, Thanks for your reply - help is appreciated! On the host scan image - The ASA & AnyConnect 3.0 Config Guides specify that a stand alone host scan image OR an anyconnect package can be used for the hostscan image, the ASA will just extract the hostscan software when required from the anyconnct package on demand. I have done some further testing, and can confirm that this works fine when using weblaunch..leading me on to my next point... I beleive the problem is related to using IPSec as the preferred VPN prortocol... IPSec - I have found that when using IPSec [IKEv2] as the local AnyConnect clients primary VPN protocol [rather than SSL - and set in the local VPN profile], I am unable to connect with HostScan / CSD is enabled, AND regardless of whether HostScan / CSD is enabled, I am unable to push software updates or profile updates too when configured in group policy! The VPN connection just fails. If I turn off any of the "client services" related functions such as profile or software updates in the group policy config [and HostScan / CSD is disabled] I can connect fine. If I set the local AnyConnect client VPN profile to use SSL as it's preferred VPN protocol, everything works nicely! I understand that the local client VPN profile, when set to IPsec as the preferred VPN protocol uses a proprietry EAP authentication method and, that changing this to a "Standards Based" eap method [such as GTC etc] will limit the download capabilities needed. What's odd, is that the local profile on our client is set to use IPSec, and the check box to use a Standards based eap method is not checked - yet the behavoir of the client suggests that maybe it's doing this- non of the client services seem to be available? Very odd. We are using RADIUS between the ASA and a backend Cisco ACS server with SecureID Tokens as the passcode to auth the users with no cert checking. Does anyone have any idea how this proprietry IPSec method works? Thanks again,
... View more
Hi, We are running a lab POC for AnyConnect 3.0 in prep for a migration from Cisco VPN Client to AnyConnect [VPN, NAM & Posture] and are having issues with Host Scan. Essentially, we want to have AnyConnect / ASA check for a file on the local client machine, and scan for Symantec End Point Protection and ensure that it is running. Upon success of this criteria and successful user authentication, access will be granted, otherwise deny. Our client test machines have predeployed AnyConnect client with NAM and the Posture module [installed from the supplied Cisco AnyConnect predeploy ISO .msi's]. We have no requirement for Clientless SSL VPN Access at this stage. However, when initiating a VPN connection with Secure Desktop / Host Scan enabled, it fails with the following errors: Warning dialogue appears: “Posture Assessment Failed: HostScan Prelogin error” Ok box is displayed. Click “OK” and then: “An error has occurred while running Host Scan. Please attempt to connect again.” Also, during the connection process, the following information is displayed in the AnyConnect VPN window: “Posture Assessment...Checking For updates [1 – 5 seconds]” “Posture Assessment...Initiating [1 -5 seconds]” “Posture Assessment...Updating [1 -3 seconds]” “Posture Assessment...Initiating [1 – 3 seconds]” Then the first two errors appears. ----------------------------------------------------------------------------------------------- On the config side - I have done the following: 1. Enabled Secure Desktop Manager and installed the CSD image [using csd_3.6.181-k9.pkg] 2. Installed a Host Scan Image [anyconnect-win-3.0.1047-k9.pkg] and enabled it. 3. Enabled the host scan extensionsin the Secure Desktop Manager Host Scan Settings [Endpoint Assessment ver 188.8.131.52] 3. Created a Pre-Login policy to check for a text file [named example.dat] 4. Created a DAP policy to check for the text file again, and to look for personal firewall [Symantec End Point Protection]. I'm a little stumped as to why this is happening, as I have pretty much deployed this in line with the Anyconnect and ASA config guides. Oddly - If I browse to the ASA's URL and log in via weblaunch, I can successfully connect and initiate a VPN with successful host scan and DAP pass, the session is then handed off to the AnyConnect client and everything works nicely. It just doesn't work when using the local AnyConnect pre-deployed client. Any one have any ideas or pointers of where I may be going wrong? Any help is appreciated! Thanks!
... View more
Hi I'm sorry for delayed reply, but your reply doesn't make 100% sense? Just to clarify we have a backend ACS to authenticate users,this uses RSA for token codes as password to authenticate. I haven't captured any packest as yet, but have lots of debug outputs - we find the following in the WLC logs when the timeouts occur: Feb 21 14:04:44.939 1x_ptsm.c:404 DOT1X-1-MAX_EAPOL_KEY_RETRANS_FOR_MOBILE: MAX EAPOL-Key M5 retransmissions reached for mobile00:1e:4c:40:ed:5b This is the result of multiple EAP retries: Thu Feb 21 14:04:42 2008: 00:1e:4c:40:ed:5b 802.1x 'timeoutEvt' Timer expired for station 00:1e:4c:40:ed:5b Thu Feb 21 14:04:42 2008: 00:1e:4c:40:ed:5b Retransmit 1 of EAPOL-Key M5 (length 131) for mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:42 2008: 00:1e:4c:40:ed:5b Sending 802.11 EAPOL message to mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:42 2008: 00000000: 02 03 00 7f 02 13 82 00 00 00 00 00 00 00 00 00 ................ 00000010: 03 ae 78 3f ea 3b 70 24 4e 7c 28 5c 0a 5a f5 83 ..x?.;p$N|(\.Z.. 00000020: ff ee 0e 35 8e 24 c1 fb 6e b7 ef 8d d4 e9 c9 cb ...5.$..n....... 00000030: 7e 00 00 00 Thu Feb 21 14:04:43 2008: 00:1e:4c:40:ed:5b 802.1x 'timeoutEvt' Timer expired for station 00:1e:4c:40:ed:5b Thu Feb 21 14:04:43 2008: 00:1e:4c:40:ed:5b Retransmit 2 of EAPOL-Key M5 (length 131) for mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:43 2008: 00:1e:4c:40:ed:5b Sending 802.11 EAPOL message to mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:43 2008: 00000000: 02 03 00 7f 02 13 82 00 00 00 00 00 00 00 00 00 ................ 00000010: 04 ae 78 3f ea 3b 70 24 4e 7c 28 5c 0a 5a f5 83 ..x?.;p$N|(\.Z.. 00000020: ff ee 0e 35 8e 24 c1 fb 6e b7 ef 8d d4 e9 c9 cb ...5.$..n....... 00000030: 7e 00 00 00 Thu Feb 21 14:04:44 2008: 00:1e:4c:40:ed:5b 802.1x 'timeoutEvt' Timer expired for station 00:1e:4c:40:ed:5b Thu Feb 21 14:04:44 2008: 00:1e:4c:40:ed:5b Retransmit failure for EAPOL-Key M5 to mobile 00:1e:4c:40:ed:5b, retransmit count 3, mscb deauth count 0 Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b Processing RSN IE type 48, length 38 for mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b Received RSN IE with 1 PMKIDs from mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:47 2008: Received PMKID: (16) Thu Feb 21 14:04:47 2008:  25 d1 3e 91 40 82 7f 7c 7c 33 26 0e 94 85 68 4e Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b No valid PMKID found in the cache for mobile 00:1e:4c:40:ed:5b Thu Feb 21 14:04:47 2008: 00:1e:4c:40:ed:5b Unable to compute a valid PMKID from dot1x PMK cache for mobile 00:1e:4c:40:ed:5b I am also seeing decrypt errors (only occasionally) when these users sessions drop off: Thu Feb 21 10:32:07 2008Decrypt errors occurred for client 00:1e:4c:40:ed:5b using WPA2 key on 802.11b/g interface of AP 00:18:74:c6:52:60 I understand that these can be due to driver issues and have updated the drivers on the EU machine to the latest and greatest (Dell) - awaiting to see if the problem reoccurrs. Does anyone have any idea?
... View more
Users at a remote office are dropping network connectivity at random intervals. We are using a dot1x client on windows clients to manage the WPA keys etc and using the HREAP solution with central WLC4400. Sites are connected via a 4Mb MPLS link, link utilisation is normal. We have enabled priority queuing on for all interfaces the traffic will traverse (UDP ports 12222 LWAP), but this has not solved the problem. Any help would be appreciated!? Thanks Don
... View more