Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn how to implement Secure VPN Mobility using Cisco AnyConnect with Cisco expert Naman Latif. Naman is a technical support engineer at the Cisco Technical Assistance Center for VPN and security technologies. His area of expertise includes configuration and troubleshooting for Cisco’s security product portfolio including VPN, PKI and firewall technologies as well as Client and Cisco Adaptive Security Appliance (ASA).
Remember to use the rating system to let Naman know if you have received an adequate response.
Naman might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security, VPN discussion forum shortly after the event. This event lasts through May 20, 2011. Visit this forum often to view responses to your questions and the questions of other community members.
Welcome Everyone to the discussion regarding Security Mobility with AnyConnect 3.X.
Cisco AnyConnect is an important part of the Cisco Borderless Networks and can be used to provide Identity based Secure access in 802.1X networks. It also provide Secure Remote Access using SSL VPN or IKEv2 and Posture Assessment to enforce compliance before an End host is allowed access to corporate network.
Please see below links to get familiar with various components of AnyConnect 3.0
Good day Latif,
We are in the process of testing out the AnyConnect3.0 with the ASA & WSA.
Would like to seek ur advise regarding the host scan feature on the AC
We Managed to get basic host scan(prelogin assessment) up and running with the anyconnect 3.0.
Quick query regarding the endpoint assessment for the scan for antivirus, firewall, antispyware.
Enabled(tick) the endpoint assessment at the HostScan setting.
On Anyconnect remote client side, how can i determine that the endpoint assessment has indeed checked my antivirus,firewall,etc?
Is there any log on my AC client that indicates i have passed the endpoint assessment?
As we did a test VPN login, it logs me in successfully after the prelogin assessment.
So we're not too sure if it did really checks the AV,Firewall etc, as we do not see it at the ASDM logs too.
We have only the Microsoft Security Essential installed on the AC client PC
There are two ways you can check \ get the information on the Host Assessment.
1. You can enable "debug dap trace" on the ASA and it will give you a detail of what was checked on the Client PC.
2. You can enable "CSD" debugging in ASDM
Configuration -> Remote Access VPN --> Secure Desktop Manager --> Global Settings
After enabling the logging the logs are stored at the below location
Please note that when using Option 2, the logs should only be enabled during troubleshooting. As the logs are in Clear-text and can be read by the User.
Thanks Naman for your info,
We have tested the options and came up with the following results in the log
[cscan][info][scan_software_basic] performing basic software scan.
[cscan][info][scan_software_basic] searching for firewall products.
[cscan][info][scan_software_basic] searching for antivirus/antispyware products.
[cscan][info][scan_perform_scan] scanning complete.
We have the "Endpoint Assessment ver 220.127.116.11" enabled on our ASA, however we do not have the advance endpoint assessment.
From the above log can we conclude that the AC client has passed the AV,Anti-spyware?
On a side note: is there any chance to obtain a trial license for the advance endpoint assessment.
The below log shows that CSD\Host Scan is active, however to get more detailed results you can look at "debug dap trace" on the ASA and that should provide you more details on what was discovered.
As for the "Advanced Endpoint Assessment License", it depends if you need remediation capabilities. If you only need to test for compliance and then User can initiate the AV update manually then you don't need the Advanced License.
However you can contact your Cisco Account team to get you an Avanced License (Trial) and you can test in your environment, if that is something , which might be beneficial.
I believe that you posted this in the wrong forum by mistake, as I can see your posts in other relevant forums. I hope that you will get an answer from the other forums and if you don't get a reply, you can always open a TAC case to address the issue.
Repost from my own thread, but maybe you have some info which may be of use to me.
I have a Cisco ASA 5500 Series appliance.
I'd like to use the Embedded CA
There’s no documentation which states an AnyConnect Essentials license will suffice, over an AnyConnect Premium.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/data_sheet_c78-527494.html hints at Essentials being enough, as it specifically mentions some features require Premium, but I really need to be sure.
I have two questions today
1. Is there an option for administrators to restrict updates of the client software, for instance if a company has deployed Anyconnect VPN and NAM version 3.0 one of the employees then connects with Anyconnect to a customer location which has a newer Anyconnect client set up but only distributes VPN and not the NAM ?
2. When using Anyconnect always on, is there anyway to provide only basic connectivity by default but be able to user authenticate for more access.
For instance: By default the computer would have access for the WSA integration and Unified communications environment, but would need to authenticate to get access to business applications ?
Gudmundur Thor Johannsson
1. You can restrict the updates (Client, Profiles etc) from an Un-Authorized ASA by using the below feature
2. For Always-On VPN , the exception can be made where Users are allowed access to Non-Corporate resources. More information on this is at
Let me know, if you need any further information.
You will need "AnyConnect Mobile" license in addition to the Premium or Essentials license.
But as for the original question, the Essentials license will Work as long as you also have the "AnyConnect Mobile" license also installed.
Not a problem. I can try to answer your question.
I just tested this in lab and the procedure that you are trying to follow works. However you are changing the Secondary Username and Password and you will only be able to view those changes, if using "Secondary Authentication" ?
Also after making the changes through ASDM, you will need to make sure
1. You connect to the ASA atleast once. Then the transform will be downloaded and applied to the AnyConnect GUI.
2. Also make sure that the ASA is Authorized (if using AnyConnect 3.X) by editing the "preferences_global" file
(Location: C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client --> On Windows XP
Location: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client --> On Vista \ Win 7)
This can be done by specifying the domain name in the "defaultdomain' field. E.g. If you access your ASA using myasa.domain.com then you can specify domain.com
3. After a successful connection, you should see a Transform set downloaded. This will be a folder named similar to "l10n" (etc) in the same location as above in Step 2.
4. Now close AnyConnect GUI and connect again. You should see the changes.
We are in the process of testing AC on mobile/tablet devices: iPad/iPhone
A few doubts that we would like to enquire about.