About Jeffrey Schutt

Jeffrey Schutt · ‎03-29-2011

Introduction This document answers frequently asked questions about Cisco's VPN Client solutions available on Mac OS X. The contents of this document have been moved, you should be able to find them here: VPN Clients For Mac OS X FAQ - Cisco Systems

Jeffrey Schutt · ‎03-07-2011

Hi, The autoupdate feature you're referring to is only available on the VPN3k, I'm not aware of a similar feature on an ISR router. The best way to update your users profiles would be to push down the new .pcf file to user's PCs through a third party tool such as Microsoft's Group Policy manager. Another idea for future supportability is to create a DNS name that resolves to your router and edit the .pcf file to use this dns name. This way in the future any ip address changes are invisible to users. Did this answer your question? If so, please mark it Answered!

Jeffrey Schutt · ‎03-07-2011

Hi, If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'. Did this answer your question? If so, please mark it Answered!

Jeffrey Schutt · ‎03-07-2011

Hi Jan, Please see my responses inline: 1. Once the VPN session has been established the user is further prompted for AD credentials when accessing an AD share for the first time. Once they provide the credentials the share can be accessed. Should the AD credentials not be passed through when the VPN connection is established? Or is this by design? What makes me think it's not be design is the fact that this could be related to problem 2. AnyConnect will authenticate the user against AD based on the aaa-server/tunnel-group configuration on the ASA. This AnyConnect user authentication is a separate authentication from the user authentication required for access to a share on a server in the domain. In order to know that this is or isn't expected behavior you would want to compare a packet capture of the user's login attempt and share access attempt both on the local LAN and on the AnyConnect connection. For the AnyConnect session you could gather a capture on the inside interface of the ASA to be sure you're gathering unencrypted data. 2. Group Policy Update (windows gpupdate) fails. This again suggests to me that the full client/server relationship is not fully in tact. To resolve this you'll need to make sure that the AnyConnect user has access to all Domain Servers that interact with the client during gpudate. Remember that the VPN session is only concerned with passing traffic based on the OSI Layer 3 IP address. This means that if you have split-tunneling enabled the user must have all the necessary AD servers in the split-tunnelled list. If you're not using split-tunneling (in either case really) be sure that each one of these servers has a route to the ip address allocated to the AnyConnect user. Again, ASA inside interface captures are your friend in determining where this problem could be 3. In order to get Outlook to connect to exchange I've had to change Outlooks security settings from Negotiate (which would naturally choose Keberors), to NTLM. Not sure if this is related or not. What protocols and ports do you have configured for Kerberos and NTLM? Typically Kerberos uses UDP port 88, I think NTLM uses a dynamic high port - not sure if it's TCP or UDP. In either case, the critical thing to identify is the exchange server's IP address. Verify this ip address is reachable across the vpn connection. Then check to see if the ASA could be blocking this traffic or if it's maybe an inspection issue. You'll want to investigate this further with packet captures as well. The most common problems are: 1) server not in split-tunnel list 2) no route between AnyConnect assigned ip address and server 3) Inspection not configured on ASA causing fixup issues of these protocols. Did this answer your question? If so, please mark it Answered!

Jeffrey Schutt · ‎03-03-2011

Hi Randy, Thanks for the clarification. Based on this new information it sounds like all you need to do is configure RRI (reverse route injection) and redistribute these static routes into the dynamic routing protocol (if you're running a routing protocol). Configure reverse route injection with the set command within the static crypto map entry you've configured. This way these learned routed will always be advertised into the local ASA's routing table. This should resolve your problem. The major difference between l2l and ezvpn is that you define the local policy on both sides in the l2l configuration (encryption/hashing protocols, crypto map configuration including interesting traffic, etc) whereas the ezvpn server pushes the policy down to the ezvpn client. Regarding split tunneling...within an EZVPN setup the split tunnel policy is pushed down from the server. What this means is that the ezvpn client will only encrypt traffic that matches the split-tunnel list defined on the ezvpn server and installed in the ezvpn client (as verified by 'sh cry ips sa'). This means that all other traffic not defined by the split tunnel acl will always be able to reach the internet directly independent of whether the ipsec tunnel is established. Regards, Jeff

Jeffrey Schutt · ‎03-01-2011

Hi Randy, There are two things going on here, network extention mode versus client-mode and split-tunneling versus tunneling all traffic. It sounds like you're committed to NEM (probably because you want to route the remote subnet on the ezvpn server side). Now it's a question of split-tunneling versus tunneling all traffic. Here's a great example of how to setup the ASA as a NEM client where the ezvpn server pushes down a split-tunnel policy: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml This may be the way you want to go because if you use this setup then your users will always have internet access independent of the tunnel being up or down. The other option is to tunnel all traffic from the ezvpn client side through the tunnel before u-turning internet bound traffic. In this case the ipsec sa that's built on the ezvpn client side has an all zeroes proxy/identity. This means that any packet that goes from inside to outside interface will trigger the IPsec connection. This will then bring up the tunnel if it's down so users internet access is restored. The other option you have is to configure PAT on the ezvpn client. In this scenario you should explicitely deny the ezvpn server's networks from NAT/PAT (using nat exemption/identity nat) so that this traffic never gets NATed. PAT will allow inside users to browse the web even if the tunnel is down.

Jeffrey Schutt · ‎02-25-2011

Q: The requirements for Trusted Network Detection (TND)/Always-On state that Anyconnect (AC) requires strict certificate checking, what is this? http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1230383 A: Strict certificate checking means that AC will not establish a session if the certificate presented by the ASA cannot be verified. The ASA's cert is presented to AC during the SSL negotiation part of the session establishment. AC verifies that all the attributes of the received cert are valid and align with the AC Profile. A good way to verify cert validity is to browse to the ASA's webvpn portal in your web browser. If you don't see any warning messages than this certificate has been verified successfully. But this isn't the only thing checked by AC, below are common problems surrounding strict cert checking. Typical problems include: 1) Untrusted cert Example - ASA has self-signed certificate configured and this cert cannot be found in the CA Cert Store on the user's PC Resolution - Install a cert from a trusted third party CA or install the CA cert in the appropriate cert store of all client PCs. 2) Mismatched cert Example - AC/User browses to the IP addr of the ASA but the cert's Subject Name/Subject Alternative Name (SAN) contains the FQDN. Resolution - The HTTPS URL defined in the AC Profile and the cert's Subject Name/SAN must match. Note that if the cert contains a SAN this will always take precedence over the subject name. Important: This means the hostname defined in the server list section of the AC profile must match the cert SN/SAN! Also worth noting: if you configure 'fqdn none' in the trustpoint the ASA won't insert a SAN attribute in the CSR. 3) Invalid cert Example - The certificate has expired. Resolution - The ASA admin must install a new certificate with a valid lifetime. 4) CRL not accessible Example - The CRL URL defined in the certificate attributes isn't resolveable or the CRL isn't accessible. Resolution - The CRL URL must be resolveable and the CRL must be available. Update DNS so this CRL's FQDN will resolve correctly on the internet. Note: you should be able to browse to the URL defined in the cert attributes and pull down the CRL. Q: I'm setting this up for the first time and I know that I have a configuration error in the AnyConnect Profile that is preventing me from connecting. I've made a change to the profile but the PC is locked down and not passing any traffic out its NIC because TND was enabled in the previous profile pushed down. How do I restore network access to this test machine in order to download the new profile from the ASA? A: For testing you should be using a machine with administrative privileges. The best way to recover from this state and start from scratch is to delete the AnyConnect Profile and Preferences XML files from the PC then uninstall AnyConnect. This may require a reload of the PC, but after you log back in network connectivity will be restored and you'll be able to browse to the ASA. Most of the time, however, by uninstalling the Profile and Preferences files and restarting the "Cisco AnyConnect Secure Mobility Agent" service in Windows (Control Panel > Admin Tools > Services) you can reinitialize the system. Q: When I first downloaded the new profile I used weblaunch to establish my AC connection. Now that I have disconnected I can't reconnect, I continue to see an error indicating that AC cannot confirm it is connected to my secure gateway. Even more confusing is the fact that although I configured a "Fail Open" policy in the AC Profile my computer doesn't have any network access. What can I do? A: First, make sure you've reviewed the question above regarding strict certificate checking - this is most likely causing your problem. Second, the Fail Open versus Fail Closed policy is implemented after AC verifies a secure gateway and can successfully establish a connection to it. In the case where AC cannot establish a connection to a secure gateway due to a local configuration issue, it already knows it's on an untrusted network (this is why it's attempting to initiate the connection) and so if the gateway isn't trusted it will deny all network connectivity until a gateway is trusted. After AC can successfully build a tunnel to a trusted gateway it will Fail Open or Fail Closed depending upon the settings configured in the AC Profile. Q: I'm troubleshooting to figure out what I'm still missing and in the AnyConnect Event Logs I am seeing a message stating that Enhanced Key Usage (EKU) is invalid. What does this mean and is this causing my problem? A: This is a client-side message indicating that AnyConnect was unable to find a certificate in the local store to present to the ASA. If you are not using certificate authentication you can safely ignore this message. If you are using certificate authentication the client-side certificate's certificate must contain the EKU attribute for Client Authentication. Q: In the AC Profile I have disabled the ability for users to use the disconnect button, but users are still able to press "disconnect" and it will log them on/off of AnyConnect. Should this be possible? A: This is expected behavior if the users is on a trusted network. TND will not affect the users' ability to connect/disconnect on a trusted network, only when users are not on the trusted network should this button be grayed out. Q: Does the <TrustedDNSDomains> field in the AC Profile support wildcard characters? A: Yes, the asterick can be used. For example, if you want to trust users on any network containing one of the many domains you own including companyA.com, companyAsupport.com, companyAinvestors.com, companyA.net, companyA.org, and customers.companyA.com, you could simply add the tag <TrustedDNSDomains>*companyA*</TrustedDNSDomains>. Q: What protocols are allowed outbound from a host when Always-On is in FAILED CLOSED mode and captive portal remediation is not permitted? A: ARP, DNS, DHCP, connectivity to the secure GW IP. Plus access to any other profile hosts in 3.0, in 3.1 dynamically defined SG list based on only to host you are actually connected to. Q: Will Always On work through a Proxy? A: No. If a proxy is required to get to the internet, Always On will not support this. This includes any type proxy setting (wheter it's a PAC, a proxy set in browser, etc). This was designed to maintain security with the feature. Had we allowed this w Always On we would have needed to add a route to the proxy and if that were the case they could get anywhere, hence, bypassing always on access to only the ASA. With AlwaysOn configured, the Agent will always attempt to create the tunnel directly to the ASA and will not even attempt to connect to the proxy. Since we don't support connecting via a proxy, we at least try to connect directly rather than not try at all and just fail outright. If the Agent is unable to connect to the ASA, then the Agent will report to the user the connection is not possible because it must be made via a proxy which is not supported with AlwaysOn. So setting IgnoreProxy should not be necessary when AlwaysOn is enabled because the Agent will not attempt to connect via the proxy at all. Q: Will Always-On work with Self-Signed Certificates? A: You can use self-signed certificates with Always-On. But, you have to be careful with the usage of the “Hostname” and “Host Address” fields in the server list: 1. If you only specify the Hostname field, and not the Host Address field, then the entry of the Hostname field will be compared with the certificate subject. If they do not match, and the Always-On feature is enabled, the VPN connection will fail. 2. If you specify both the Hostname field and the Host Address field, then the entry of the Host Address field will compared with the certificate subject. If they do not match, and the Always-On feature is enabled, the VPN connection will fail. +++++ You can add the ASA certificate to the PCs Trusted Root store (see the last line from the Admin guide below). However, you may need to do that BEFORE Always-On is enabled or at least reboot after doing it. To add the Cert, open Internet Explorer and got to the ASA. You should get a message that there is a problem with the website’s certificate. Then follow the steps in this article, which describes the process but for a different product http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1205144 •Always-on VPN requires a valid server certificate configured on the ASA; otherwise, it fails and logs an event indicating the certificate is invalid. Ensure your server certificates can pass strict mode if you configure always-on VPN. Always-on VPN supports only computers running Microsoft Windows 7, Vista, XP; and Mac OS X 10.6, 10.7 and 10.8. To prevent the download of an always-on VPN profile that locks a VPN connection to a rogue server, the AnyConnect client requires a valid, trusted server certificate to connect to a secure gateway. We strongly recommend purchasing a digital certificate from a certificate authority (CA) and enrolling it on the secure gateways. If you generate a self-signed certificate, users connecting receive a certificate warning. They can respond by configuring the browser to trust that certificate to avoid subsequent warnings. Q: What are the checks done against certificates in case of always on? This can cause multiple problems with always on including failure to download updates - FILEDOWNLOADER_ERROR_UNTRUSTED_CERTIFICATE_WITH_ALWAYS_ON A: The checks are performed through WinInet library here's a non exhaustive list: - The certificate's trust chain verifies back to a trusted root - The certificate is not expired or not yet valid based on date - The host being used for the connection matches a CN entry in the Subject or a DNSName or IPAddress entry in the Subject Alternative Name entry within the certificate, as appropriate - If present, the certificate's Key Usage is appropriate for the required tasks (typically Digital Signature and Key Encipherment for SSL) - If present, the certificate's Enhanced Key Usage is appropriate for the required tasks (Server Authentication) - The certificate is not revoked

Jeffrey Schutt · ‎05-18-2010

Good Catch Nicholas! Looks like you could be running into the same symptoms experienced in bug CSCsf22066: ASA - dhcp-network-scope/DHCP-proxy giaddr issue with RFC2131 This was a duplicate of enhancement request CSCsm60591 which has been resolved in the latest ASA images. See bug toolkit for more details. I also came across this in the configuration guide: "When it receives a DHCP request, the security appliance sends a discovery message to the DHCP server. This message includes the IP address (within a subnetwork) configured with the dhcp-network-scope command in the group policy. If the server has an address pool that falls within that subnetwork, it sends the offer message with the pool information to the IP address—not to the source IP address of the discovery message. • For example, if the server has a pool of the range 209.165.200.225 to 209.165.200.254, mask 255.255.255.0, and the IP address specified by the dhcp-network-scope command is 209.165.200.1, the server sends that pool in the offer message to the security appliance." http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1116296 This is why you stated that "I can see the 3750 sending the requested address back to 10.0.6.0". The ASA sets the GIADDR field in the DHCP Discover to be the dhcp-network-scope defined within your group-policy. It's my impression that by setting the ip address to 10.0.6.2 the DHCP Offer will be returned to a host address that the ASA can listen for as opposed to the subnet's network address which the ASA ignores.

Jeffrey Schutt · ‎05-18-2010

Hi Nicholas, Note that after a 5 second delay the ASA logs message %ASA-5-713201, and after another 5 seconds you see the same message logged. This message is coming from the VPN Client, it is the client's retransmission requests for a dhcp address. On the client logs you should see these same retransmits. In your logs I see the outbound UDP connection build but I do not see a subsequent inbound UDP connection built. Apparently either the ASA is blocking the inbound UDP connection from the DHCP Server back to it (not likely because we don't see any deny messages in your logs), or the response from the 3750 is not making it back to the ASA. When I set this up in the lab I saw the following messages that differ from yours: May 18 2010 09:22:41: %ASA-7-737001: IPAA: Received message 'UTL_IP_[IKE_]ADDR_REQ' May 18 2010 09:22:41: %ASA-6-737017: IPAA: DHCP request attempt 1 succeeded May 18 2010 09:22:41: %ASA-6-737005: IPAA: DHCP configured, request succeeded for tunnel-group 'anyconnect_only' May 18 2010 09:22:41: %ASA-6-302015: Built outbound UDP connection 10806 for inside:192.168.5.100/67 (192.168.5.100/67) to identity:192.168.5.1/67 (192.168.5.1/67) May 18 2010 09:22:41: %ASA-7-609001: Built local-host corp:192.168.255.3 May 18 2010 09:22:43: %ASA-6-302015: Built inbound UDP connection 10808 for inside:192.168.5.100/67 (192.168.5.100/67) to identity:192.168.255.0/67 (192.168.255.0/67) May 18 2010 09:22:43: %ASA-7-737001: IPAA: Received message 'UTL_IP_DHCP_ADDR' May 18 2010 09:22:43: %ASA-7-609001: Built local-host dmz:192.168.255.3 May 18 2010 09:22:43: %ASA-5-722033: Group User IP <172.18.254.122> First TCP SVC connection established for SVC session. May 18 2010 09:22:43: %ASA-4-722051: Group User IP <172.18.254.122> Address <192.168.255.3> assigned to session To further troubleshoot your problem I would check any access-groups configured on the inside interface and use the ASA's packet-capture functionality to see more details about the problem: capture inside6 interface insidevlan6 buffer 1000000 show capture inside6

Jeffrey Schutt · ‎05-17-2010

Hey Nicholas, Your DHCP relay configuration would be appropriate if you had hosts that were connecting directly to the outside interface and looking to receive an ip address via the DHCP server. But because you want to assign a DHCP address to vpn user you'll want to use the following configuration: asa(config)# tunnel-group anyconnect_only general-attributes asa(config-tunnel-general)# dhcp-server 10.0.0.6 Optionally you can configure the scope of addresses to match what the server is handing out: asa(config)# group-policy anyconnect_only attributes asa(config-group-policy)# dhcp-network-scope 192.168.1.0 If in production you end up using multiple DHCP servers that share a dhcp-network-scope value, then here's a bug that you'll want to make sure you're past when setting this up: CSCsy56403 ASA stops accepting IP from DHCP when DHCP Scope option is configured Look at the bug details to see other things you can try when troubleshooting this such as... 1) packet capture on dhcp-server facing interface 2) ASA logs set to level debugging at time of issue 3) turn on dhcp debugs on the ASA Thanks, Jeff

Jeffrey Schutt · ‎05-17-2010

Hi Chris, I haven't seen this same behavior where you must install the RDP plugin ActiveX control multiple times. Is it possible that you or your IT security admins could be deleting this plugin along with other browser temporary files and objects on a regular basis? Or maybe your browser is tightly controlled and locked down by an AD GPO. The best way to get this working is to add the ASA as a trusted site within IE. By doing this you allow the browser permission to run activex controls and content from the ASA that IE otherwise would classify as a security vulnerability in order to avoid browser exploits. The ActiveX control is automatically pushed down from the ASA at the time you browse to a url with the format RDP://. On Windows XP it is saved in C:\WINDOWS\Downloaded Program Files. You can find all the plugins currently installed in your browser from IE > Tools > Internet Options > General > Browsing History Settings > View objects. The filename is "CISCO Portforwarder Control". If you're running a relatively recent ASA image (8.0.5.1,8.2.2, 8.3.1)you should see version 1,0,0,7 pushed down to you. If you copy the file from an already installed PC you should probably be able to install it on any other PC. But this shouldn't be necessary as the latest version will be pushed to you upon initiating a webvpn RDP session using the ASA. The control is called from the ASA software image as opposed to being part of the RDP plugin. This is why upgrading ASA images gets you past known issues with the using RDP through webvpn such as.. CSCsx49794 Webvpn: RDP Plugin does not work with ActiveX with large cert chain and CSCtc70548 WebVPN: Cisco Port Forwarder ActiveX does not get updated automatically Thanks, Jeff

Jeffrey Schutt · ‎05-15-2010

Hi Jickfoo, With separate authentication methods needed for each user-group for two separate companies, I'm assuming that you'll need to have four separate tunnel-groups configured to authenticate against the total of four separate aaa servers. There are many ways to set this up including one login page and four drop-down selections (group-alias), four separate login pages (group-url), and anything in between. Because you have two separate companies connecting you'll probably want to use separate group-urls. This will allow you the functionality to customize a separate login portal for each company. You can then apply the login portal customization to both tunnel-groups associated with that company. From there you have the option to... 1) use separate group-urls on each tunnel-group (one for each authentication method) such that all users from that company see a similarly customized login screen and no users have to select a group from a drop-down, or 2) enable group-alias on both of these tunnel-groups such that all users from the same company land on the same login portal and then users pick the appropriate drop-down for their authentication method Here's the configuration example for group-alias and group-urls: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml Whichever method you choose, it is upon landing on a tunnel-group and then being placed on an associated group-policy that your users will inherit the access permissions to reach internal network resources. The group-policy is also where you'll apply a specific AnyConnect Profile to be pushed to the AnyConnect Client. You can use the functionality of the AnyConnect Profile to lock users to specific tunnel-groups when they reconnect. By applying a different AnyConnect Profile to each group-policy (different tags) you can ensure that each set of AnyConnect users lands on the correct tunnel-group . For more on the funcitonality see: http://www.ciscosystems.ch/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html#wp1060747 To enable an AnyConnect Profile to be pushed down from the ASA see: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1099076 Note that if you choose to package AnyConnect in your own installer file you can insert your own AnyConnect Profile with the appropriate tag configured in order to place the user on a specific tunnel-group.

Date Registered	‎05-15-2010 08:16 PM
Date Last Visited	‎09-25-2018 05:47 PM
Total Messages Posted	10
Total Helpful Votes Received	29

FAQ: VPN Clients For Mac OS X

Re: VPN Client profile auto-update for ...

Re: IP Phone SSL VPN through ASA

Re: AnyConnect VPN: AD Credential Reque...

Re: ASA 5505 - NEM Client

Re: ASA 5505 - NEM Client

AnyConnect Trusted Network Detection (T...

Re: DHCP for VPN

Re: DHCP for VPN

Re: DHCP for VPN

Re: SSL VPN RDP Active X Control

Re: Need AnyCon Design Advice - Groups ...