Showing results for 
Search instead for 
Did you mean: 

Community Helping Community

Community Manager

Ask the Expert: AnyConnect Secure Mobility

AnyConnect Secure Mobility with Ameet Kulkarni - Read the bioWith Ameet Kulkarni

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about AnyConnect Secure Mobility with Cisco expert Ameet Kulkarni. Learn about the various aspects of AnyConnect Secure Mobility such as HostScan, Client and Clientless based remote access, policies, and more.

Ameet Kulkarni is a product manager within the Secure Access and Mobility Product Group. His areas of expertise revolve around AnyConnect & ISE with a focus on posture assessment and profiler technologies. Kulkarni has managed multiple products over his career in VoIP and Security industries. He is an engineer by education with a Master of Science in Telecommunication. He has had a broad exposure in software development, solution architecture, program management and product management.

Remember to use the rating system to let Ameet know if you have received an adequate response.

Ameet might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub community shortly after the event. This event lasts through April 5, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.


Ask the Expert: AnyConnect Secure Mobility

Anyconnect user automatic group-policy and tunnel-group assignment without selecting any group-alias from tunnel-group-list .

Objective is that anyconnect user  dont have to select Group-alias, so when a user enters its username and  password it should go to its specific tunnel-group and group-policy. as i  have removed this command in webvpn "no tunnel-group-list enable".  doing this i can not login (user does not authenticate).

1- My question is why its not happening ?


If  i keep only one tunnel-group default and make multiple group-policies  and assign each user with its specific group-policy than it works. means  in user attribute i only issue following commands than it works but if i  put "group-lock value test-tunnel" than it does not login.

why is that so, can we have only one tunnel in this case ..


enable outside

cache-fs limit 50

svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1

svc enable

group-policy test-gp internal

group-policy test-gp attributes

vpn-tunnel-protocol svc webvpn

address-pools value test-pool

username test password test

username test attributes

vpn-tunnel-protocol svc

group-lock value test-tunnel

vpn-group-policy test-gp

tunnel-group test-tunnel type remote-access

tunnel-group test-tunnel general-attributes

default-group-policy test-gp

tunnel-group test-tunnel webvpn-attributes

group-url enable


Ask the Expert: AnyConnect Secure Mobility

Can the Cisco Adaptive Security Appliance be connected to a RADIUS infrastructure to authenticate users?

Cisco Employee

Ask the Expert: AnyConnect Secure Mobility

Yes, the ASA can be connected to a RADIUS server for authentication purposes. It is quite common.


Ask the Expert: AnyConnect Secure Mobility


what are the requierd knowledges to achive ccnp security ? in which order should i start to study ? what comes first , ccnp r&s or ccnp security ? when can i start with ccna security ? i need some informations ? please do the needful for me , and tell me how to start. is it true that i need to know how to install before securing it ? i got some infos from some sources ,which told me that i need to study ccnp r&s before ccnp security because before securing ,it is necessary to know how to it true ??


Cisco Employee

Re: Ask the Expert: AnyConnect Secure Mobility

You can find the details of the certification here:


Re: Ask the Expert: AnyConnect Secure Mobility

thanks ameet for enlightening me on the above issue. but still in user attribute if i map a user "testuser" with a tunnel-group "group-lock test-tunnel" and group-policy " vpn-group-policy test policy" than it does not login. if i remote group-lock it works. so why cisco has added group-lock in user-attribute what is th purpose .. ? i need to understand in details plz

Cisco Employee

Re: Ask the Expert: AnyConnect Secure Mobility

John, what you are doing is locking the user to the tunnel group. So for the user to connect, you need to use group URL or pull down or certificate matching. When you remove the group-lock, the user goes into the default tunnel group and is probably hitting the default group policy that you have set up and hence is logging in.

Tunnel Group Lock is a simple check to validate if the Tunnel Group (aka. ASDM Connection Profile) you connect with matches what you have defined under the group-policy. If the Tunnel-Group-Lock value matches (true condition), the VPN remote access session is allowed to setup; otherwise the session is not allowed to establish.


Ask the Expert: AnyConnect Secure Mobility

On My ASA Firewall I have anyconnect-win-3.0.5080-k9.pkg image. Some of the users have installed AnyConnect 2.5.3051 software on their machine. I just wanted to know, if there would be some issue in connecting or accessing VPN or other programs.

Cisco Employee

Ask the Expert: AnyConnect Secure Mobility

Both versions should co-exist just fine.  I would suggest tesint one 2.5 client if you are using csd/hostscan to ensure compatability.

The 2.5 clients software and profiles will be updated unless you do one of the following

Q. Is it possible to turn off the automatic AnyConnect upgrade via ASA? AnyConnect Local Policy File Parameters and Values for more information.

A. Yes. Use one of these methods in order to turn off the automatic AnyConnect upgrade via the ASA:

  • Adjust the profile on the ASA to disable updates.


  • Use a local policy to disable the AnyConnect downloader.

    BypassDownloader true The client does not check for any dynamic content present on the ASA,      including profile updates, translations, customization, optional      modules, and core software updates.


    Refer to

Cisco Employee

Ask the Expert: AnyConnect Secure Mobility

What pcarco is saying is true for ASA 9.0 and AnyConnect 3.1 and above. If you have a newer version of AnyConnect on the ASA, the end users will automatically get upgraded to that version. The ability for end users to defer updates to a later time comes about from ASA 9.0 and AnyConnect 3.1.


Ask the Expert: AnyConnect Secure Mobility

When configuring AnyConnect using ASDM it has two options for VPN protocol to be used. One is SSL and other is IPSec. Can we use IPsec as the protocol? can you please assist here.


Ask the Expert: AnyConnect Secure Mobility

hi mohd IPSec is for remote access vpn clients and SSL is for webvpn or anyconnect client.

Cisco Employee

Ask the Expert: AnyConnect Secure Mobility

Mohd, pcarco provides a good quick summary of what AnyConnect can do with IPsec and SSL.

Cisco Employee

Ask the Expert: AnyConnect Secure Mobility

Yes you can but just note it is IPSEC with IKEv2

"Optimized Network Access - VPN Protocol Choice SSL (TLS and DTLS), and IPsec/IKEv2

AnyConnect now provides a choice of VPN protocols, allowing administrators to use whichever protocol best fits their business needs

• Tunneling support includes SSL (TLS and DTLS) and next-generation IPsec (Internet Key Exchange Version 2 [IKEv2])

• DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access

• TLS (HTTP over TLS/SSL) ensures availability of network connectivity through locked-down environments, including those using web proxy servers

• IPsec/IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec"

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here