Actually, I don't see a software EOL - end of support is listed as 23 May 2023 for my SG200. I'm glad I found this thread, I was pulling my hair out over this. Unfortunately, my experience has been so far rebuilding the config triggers this issue even if done manually (last update: setting an alias interface, then the connection dropped). I don't have Smartnet on this, of course. In case anyone is interested, I ran curl against the management interface, and it stalls after printing <HTML> . I'm hoping someone will come up with some ideas on this. Next time we need to look at release/end-of-sale dates more carefully.
... View more
Thanks, that's an informative response.
I recall DART from a prior version of AnyConnect, but I don't see any of its functionality in the version I am running (4.2.02075). Funny, I could have sworn it was there.
I did decide to go poking around to see whether it was a separate executable. On Windows (not my primary platform) I found a few other files. There's vpnui.exe (what gets started by the installed Start Menu item), and also vpncli.exe and vpnagent.exe .
I haven't had a chance to play around with the vpnagent.exe , but the vpncli.exe was what I would have expected, a command-line version of the application. Within it, there are several commands that make sense; a state command which provides pretty much the same information as from the UI. Perhaps there are command line options for vpnagent.exe , but I suspect not.
If you have any idea where the DART functionality lives (perhaps I need another installer), I'd be interested to hear. Thanks!
... View more
I've been asked a question about a customer who uses AnyConnect for access to a secure network from related networks in their organization, some of which use TLS-decrypting proxy servers.
I realized that there are a number of possible scenarios where there might be personnel running SSL VPN sessions from these networks. I had, at first thought, presumed that a correctly configured certificate store on the ASA 5515 (software version 9.4(3).8) would ensure that if a proxy was inline with an untrusted certificate the user would be warned of a problem in the certificate chain. I do understand that this question assumes that the CA and/or certificate(s) presented by the proxy are untrusted by the client, though I'd still like to be able to know if possible if that certificate is being substituted.
But (for the PCI assessors) I don't know how to verify this. I would think that the client "knows" which certificate is presented by the VPN server, so as with other applications I can verify the certificate identity is correct - but I don't know whether this is something that can be queried or displayed by the AnyConnect client. That's the easiest approach, if this is accessible somewhere on the client. Other approaches:
logging on the server would indicate whether there is an anomaly in session setup with a AnyConnect client?
query on the ASA console with detail on the connection?
fire up Wireshark on the client and watch the datastream?
The initial indication that I have is that there is nothing out of the ordinary, though connection to the AnyConnect https service (we've disabled WebVPN but the software download page is still accessible) is proxied (and the browser generates the expected "certificate invalid" warning). But the AnyConnect client does not, which is what raises our concern.
So, two questions:
Under what circumstances will the AnyConnect client complain that there is an SSL MITM with an untrusted certificate? Or is there a way to configure something similar to "certificate stapling" in the configuration?
How to verify that an AnyConnect session is using a specific certificate on the server?
Hope this isn't overly difficult to answer... thanks!
... View more
Just another data point: all is well here, running 1.3.1 (003) Dec 17 2012 - thanks again! (I'm actually afraid to touch it again - it ain't particularly broke right now, so I'll be careful when the next release goes GA...) _KMP
... View more
Hi Patrick, and everyone... I'm adding a "me too" (and Patrick, I'll email you directly with my info). I've been having this problem since I purchased my SPA112, and it hasn't gotten the point where I've wanted to try to brave TAC (okay, I guess it's "small business support") to open a case until I realized that if I needed to deal with this as a warranty issue I only had a couple of weeks left. I saw a lot of references to CallCentric, but I'm actually using this as part of a system running Asterisk - so I have the ability to monitor (capture) all of the traffic to and from the unit from either end (of the LAN). I haven't ever seen anything interesting or seemingly useful in the logging. I noticed the Perl script posted to restart the unit periodically. I haven't looked at this yet, but I did write a script myself that likely does the same thing. Still, I see coma about every 5-10 days (I get a log entry every time the reset script dies). As with everyone else, only pulling the plug fixes it. I'd be happy to try any beta or lab firmware updates that you can provide - I can tell you that I have had at least one attempt to update f/w fail with the unit frozen for several hours before I finally put it out of its misery. Currently it's running 1.2.1 . Glad to find this thread (what an uncommonly accurate subject line). Thanks for any help, and let me know how I can contribute.
... View more