Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7638
Views
36
Helpful
3
Replies

AnyConnect-Parent Encryption NONE

Go to solution
Delmiro Campelo
Level 1
Level 1

‎06-30-2013 11:52 AM - edited ‎02-21-2020 06:59 PM

Hi Support Community,

When viewing the VPN sessions in ASDM, AnyConnect-Parent encrytion shows as "none",shouldn't it say RC4 or AES, something like that? is some of the traffic not encrypted ? It's conforting to see the SSL-Tunnel shows as RC4 I'm just trying to have a better understanding of this, if you guys could point me to some articles explaining these behaviors that would be great. thank you for your input.

AnyConnect-Parent-EncryptionNone.jpg

Delmiro

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rkumar5
Level 1
Level 1

‎06-30-2013 11:47 PM

Hi Delmiro,

Here is the basic understanding of the tunnels that are created when we connect to the ssl.

It depends on the mecahnism that is used either you can use the weblaunch or the standalone client

Depending on the connection you will create three different tunnels(sessions) on the ASA, each one with a specific purpose:

  1. Clientless or Parent Tunnel: This is the main  session that is created during the negotiation to setup the session  cookie that is necessary in case a reconnect is needed due to network  connectivity issues or hibernation, etc. Depending of the connection  mechanism, the ASA will list the session as Clientless (Weblaunch via  the Portal) or Parent (Standalone AnyConnect).

    Note:  The AnyConnect-Parent represents the session when the client is not  actively connected. It does not represent an encrypted tunnel. It's  actually a database entry on the ASA.So, if the client shuts  down/sleeps, the tunnels (IPsec/IKE/TLS/DTLS) are  torn down, but the  Parent remains until the idle timer or max connect time kicks in. It  allows the user to reconnect without re-authenticating.

  2. SSL-Tunnel: The SSL connection is established first  and data is passed over this connection while attempting to establish a  DTLS connection. Once the DTLS connection has been established, the  client start sending the packets via the DTLS connection instead of the  SSL connection. Control packets, on the other hand, always go over the  SSL connection.

  3. DTLS-Tunnel: When the DTLS-Tunnel is fully  established, all data now moves to the DTLS-tunnel and the SSL-tunnel is  only used for occasional control channel traffic. If something should  happen to UDP, the DTLS-Tunnel will be torn down and all data will pass  through the SSL-Tunnel again.

Hope this helps.

Regards

Raj Kumar

View solution in original post

3 Replies 3

Go to solution
rkumar5
Level 1
Level 1

‎06-30-2013 11:47 PM

Hi Delmiro,

Here is the basic understanding of the tunnels that are created when we connect to the ssl.

It depends on the mecahnism that is used either you can use the weblaunch or the standalone client

Depending on the connection you will create three different tunnels(sessions) on the ASA, each one with a specific purpose:

  1. Clientless or Parent Tunnel: This is the main  session that is created during the negotiation to setup the session  cookie that is necessary in case a reconnect is needed due to network  connectivity issues or hibernation, etc. Depending of the connection  mechanism, the ASA will list the session as Clientless (Weblaunch via  the Portal) or Parent (Standalone AnyConnect).

    Note:  The AnyConnect-Parent represents the session when the client is not  actively connected. It does not represent an encrypted tunnel. It's  actually a database entry on the ASA.So, if the client shuts  down/sleeps, the tunnels (IPsec/IKE/TLS/DTLS) are  torn down, but the  Parent remains until the idle timer or max connect time kicks in. It  allows the user to reconnect without re-authenticating.

  2. SSL-Tunnel: The SSL connection is established first  and data is passed over this connection while attempting to establish a  DTLS connection. Once the DTLS connection has been established, the  client start sending the packets via the DTLS connection instead of the  SSL connection. Control packets, on the other hand, always go over the  SSL connection.

  3. DTLS-Tunnel: When the DTLS-Tunnel is fully  established, all data now moves to the DTLS-tunnel and the SSL-tunnel is  only used for occasional control channel traffic. If something should  happen to UDP, the DTLS-Tunnel will be torn down and all data will pass  through the SSL-Tunnel again.

Hope this helps.

Regards

Raj Kumar

Go to solution
Delmiro Campelo
Level 1
Level 1
In response to rkumar5

‎07-01-2013 12:48 PM

thank you for the explanation! I appreciate it! by the way, is this explanation on a book? i would want to buy it if it is.

Customers Also Viewed These Support Documents