Ask the Expert: Configuring and Troubleshooting AnyConnect Client features

ciscomoderator · ‎04-17-2012

Rahul Govindan

Welcome to the Cisco Support Community Ask the Expert conversation. Learn from Cisco expert Rahul Govindanto how to configure and troubleshoot the various AnyConnect client features including features using Anyconnect xml profiles such as Start Before Logon (SBL), on-connect scripting, certificate authentication etc as well as specific features on the Adaptive Security Appliances (ASA) such as Cisco Secure Desktop (CSD) /Hostscan and Dynamic access policies (DAP).

Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN, Cisco Adaptive Security Appliance firewalls, and authentication authorization & accounting. His particular expertise is in Secure Sockets Layer VPN and IP Security VPN technologies. He holds CCIE certification (#29948) in the Security domain.

Remember to use the rating system to let Rahul know if you have received an adequate response.

Rahul might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event is a continuation of the facebook forum and lasts through April 27 2012. Visit this forum often to view responses to your questions and the questions of other community members.

ROBERTO TACCON · ‎04-18-2012

Hello Rahul Govindan,

please can you indicate when the BUG ID: CSCty32412 will be resolved (is there any specific release that resolve the problem) ?

Thanks

rahgovin · ‎04-18-2012

Hi Robert,

Unfortunately, this bug has not been fixed so far at our end and I do not have an estimated date for a fix yet. But this bug is being worked upon on a very high priority as it a highly impacting one for anyconnect deployments.I shall provide you more information on this forum if I obtain any. In the meanwhile, I would suggest that you subscribe to the bug on the Bug Toolkit page so that you receive notifications on any changes in the state of the bug.

Thanks

Rahul

ROBERTO TACCON · ‎04-19-2012

Thanks for the reply.

Another question related to cisco asa bugs: about the Cisco ASA 8.x and Dynamic access policies (DAP) with LDAP integration with Microsoft Active Directory

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

and the ability to permit remote access users access the resources that are defined for 2 different active directory groups at the same time:

please can you indicate me if the following Bug ID: CSCso24147 will be resolved/implemented (it's an

enhancement but other firewall vendor support already this fetaure) ?

Thanks

rahgovin · ‎04-19-2012

Hi Robert,

Ah, this bug This has been a long standing enhancement at our end to have a recursive check for LDAP nested groups on the AD. Unfortunately, I do not have a timeline for the support for this enhancement. But I do know that this is one of the top priority bugs on the ASA teams list. I wish I had more information to provide you.

Thanks

Rahul

rahgovin · ‎04-27-2012

Hi Roberto,

Looks like this bug has been resolved and the fixed images should be 8.2.5(29) and 8.4.4 both of which should be out shortly.

Thanks

Rahul

ROBERTO TACCON · ‎04-18-2012

Hello Rahul Govindan,

about the SSL (anyconnect) feature on cisco ASA please can you answer to the following question:

1) The problem:

The Hacker's Choice SSL Denial of Service (thc-ssl-dos) tool.

Attackers can use this tool to exhaust resources on an SSL-enabled service, causing a Denial of Service of the targeted service.

The tool is a public Tool and not a Cisco one.

The researchers publish the tool and the technical details at http://www.thc.org/thc-ssl-dos THC released an SSL denial of service (DoS) tool that performs a resource starvation attack of SSL servers.

This problem affects all SSL implementations today. Vendors are aware of this problem since 2003 and the topic has been widely discussed within IETF. This tool also appears to leverage the known issue described in CVE-2011-1473.

Technical details can be found at:

http://www.thc.org/thc-ssl-dos

The following blog also covers the effects of this attack:

http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos

An Intellishield alert has been published to document this at:

http://tools.cisco.com/security/center/viewAlert.x?alertId=24454

2) Cisco indicate:

http://tools.cisco.com/security/center/viewAlert.x?alertId=24454

"To mitigate the DoS condition administrators are advised to use SSL Accelerators within the network and disable the SSL Secure Renegotiation feature on affected servers."

BUT

“

It's work even without SSL renegotiation enabled, attackers can still use THC-SSL-DOS successfully against servers.

"

AND THE HOWTO MITIGATE with CISCO:

using CISCO IPS:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=40086&signatureSubId=0&softwareVersion=6.0&releaseVersion=S616

3) Questions:

customers are asking me if

- Cisco ASA SSL is vulnerable to the attack ?

- Are there any configuration within Cisco ASA to mitigate the problem or it is necessary to deploy the CISCO IPS ?

Best Regards

rahgovin · ‎04-19-2012

Hi Robert,

I was looking more into this vulnerability that you mentioned all morning. From what I read, the tool can cause vulnerabilities when the ssl renegotitation is enabled . If I am not wrong, the ASA has disabled SSL renegotiation with a patch in the Openssl code due to an earlier TLS vulnerabilty noted. The bug ID is the following

CSCtd00697. Looks like the ASA running the 8.2(1.16) codes and above should not have this vulnerability for its SSLVPN services.

More information on this can be obtained here:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20091109-tls

Thanks Rahul

ROBERTO TACCON · ‎04-19-2012

Hello Rahul,

as indicated by http://www.thc.org/thc-ssl-dos/

"

It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen.

People are asking us about the private release that works against servers

that do not support SSL renegotiation. We will not release it.

Meanwhile the good news is that openssl can be used to perform the same attack

It's not as elegant as the private thc-ssl-dos but works quite well indeed.

"

please can you check @ Cisco (maybe with PSIRT) if the IPS is needed ?

Thanks again for all the support.

rahgovin · ‎04-20-2012

Hi Robert,

I guess what they mean by an attack without SSL renegotiation is a normal TCP syn flood attack using SSL packets. I guess the primary target for this tool was meant for web servers with SSL renegotiation enabled and thats why the PSIRT response is for IPS devices inline to the servers that it was targetting. So far there is no vulnerability that has been noted by the PSIRT team for this tool on the ASA so my assumption would be that the ASA should not be vulnerable to these attacks. But again let me see if I can find some more info for you on this query.

Thanks

Rahul

tasoskypraios · ‎04-20-2012

Hi Rahul,

I have problems configuring Anyconnect client 2.5 with Certificate in my ASA 5520 (8.2.1), I have succesfully configure the anyconnect without Certificate. We have an internal Windows 2003 CA server where we generate the identity certificate. As a CN we use the name of ASA. We also enroll client certificate from the same CA server and as a CN we use Laptop's number. The OU of the ASA and Laptop ceirtificate is the same.

We have also intalled root certificate on both devices. When we try to connect we have the message "Apr 20 2012 17:43:24: %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:x.x.x.x dst identity:x.x.x.x(type 5, code 0) on outside interface. Original IP payload: tcp src x.x.x.x/443 dst x.x.x.x/54281". Can you help me? I can send you, if you want, the configuration in order to check it.

Thank you

rahgovin · ‎04-21-2012

Hi,

So just to re-state the problem: You are unable to connect to the ASA using Anyconnect with certificate authentication but you are able to do so with aaa authentication. A few more details,what is the message that pops up on the Anyconnect gui when you try connect and fails, say for example "Certificate Validation Failure"? Also, a test would be to see if you are facing the same failure when you try to connect to the ASA using a web brower (clientless login). From the config, it looks like you have configured the certificates right. Now in order to confirm if the right cert is getting selected for authentication, another help would be to run "debug cry ca 255" on the ASA when the client tries to connect. I think these tests would be a good way to start looking into the problem. Let me know what you see from these tests.

Thanks

Rahul

tasoskypraios · ‎04-22-2012

Hi Rahul,

I have created 3 Connection profiles in the ASA, 2 with aaa authentication and 1 with aaa authentication and certificate. When i am trying to connect from laptop's Annyconnect client i see only the 2 connection profiles which are requiried only aaa authentication. So with anyconnect cilent i cannot see the connection profiloe with the certificate and aaa.

I had tried from the web browser and there i can saw the Connection Profile (aaa & certificate) and the error message that i was "Certificate Validation Failure".

Also i had run the command "debug cry ca 255" but the only message in the log files was the one i wrote in my original post. The only thing that i am not sure that i have tried is to enable the "debug cry ca 255" and try to connect from the web browser, i will try it again tommorow and i will inform you for the results.

Do you think that is useful to try something else?

Thank you.

rahgovin · ‎04-23-2012

Hi,

When you say you don't see that aaa+cert tunnel group, do you mean that it is not present as a one of the options to select from a drop down list when connecting through AC client? Could you check if the tunnel-group has an Alias configured? If it does not have one, it will not show up as list of profiles to choose from.

Also it would be good to see any debugs that come across from the debug crypto ca output when you connect from the web page. Let me know if you have tested that.

Thanks

Rahul

tasoskypraios · ‎04-24-2012

Hi Rahul,

Yes you are correct, the aaa+cert tunnel group, it is not presented as a one of the options to select from a drop down list when connecting through AC client while is presented when i am trying to connect through web.

Yes there is an Alias configured and the strange is that when i remove from ayuthenticationcertificate and try to connect with AC client the option was available in the drop down list.

In order to take the logs from command "debug cry ca 255" i have to enable "logging buffered debugging" am i correct? CPU usage of ASA is 20%, do you think that i will have a problem if i enable it?

Thank you