Solved: How Does Anyconnect VPN Work?

Hawk · ‎06-20-2018

Does anyone have a deep dive into the processes that take place when an Anyconnect client user attempts to log in? I have configured Anyconnect before both split tunnel & non split tunnel but I am having a hard time knowing whats actually taking place on the ASA to establish & facilitate VPN traffic. There are quite a bit of configurations involved from enabling webvpn on the outside interface to group policies to tunnel groups & much more. Can someone explain how these configurations come into play & at what point during the tunneling process does a particular configuration matter?

Rahul Govindan · ‎06-20-2018

Going to be difficult to go into too much detail in this thread but I'll try.

From the ASA side:

The base configuration for the ASA consists of the global webvpn configuration, tunnel-group and group-policy configuration. The webvpn configuration defines global settings like what port and interface webvpn needs to be enabled along with what minimum AnyConnect client version is required by ASA admin.

Next, simply put, the tunnel-group defines what sort of authentication has to take place for the user, while the group-policy defines what sort of permissions and settings the user receives after authentication (authorization).

So when a user connects, they would hit a tunnel-group, authenticate based on the AAA or cert method defined there. They would then receive attributes defined in the group-policy assigned to them (dynamically or statically in the tunnel-group). This is where split tunnels, filters etc take effect.

Post this, sessions (tunnels) is created on the ASA - a Parent , TLS and/or DTLS. Internally the ASA's keep classification rules to match traffic to send across the tunnel.

From the client side:

Post authentication and tunnel establishment, the client enables the AnyConnect virtual adapter and installs the routes (default or split tunnel networks). This basically redirects the traffic to the adapter, which then tunnels it to the ASA.

I hope this was what you were looking for.

View solution in original post

Rahul Govindan · ‎06-20-2018

Going to be difficult to go into too much detail in this thread but I'll try.

From the ASA side:

The base configuration for the ASA consists of the global webvpn configuration, tunnel-group and group-policy configuration. The webvpn configuration defines global settings like what port and interface webvpn needs to be enabled along with what minimum AnyConnect client version is required by ASA admin.

Next, simply put, the tunnel-group defines what sort of authentication has to take place for the user, while the group-policy defines what sort of permissions and settings the user receives after authentication (authorization).

So when a user connects, they would hit a tunnel-group, authenticate based on the AAA or cert method defined there. They would then receive attributes defined in the group-policy assigned to them (dynamically or statically in the tunnel-group). This is where split tunnels, filters etc take effect.

Post this, sessions (tunnels) is created on the ASA - a Parent , TLS and/or DTLS. Internally the ASA's keep classification rules to match traffic to send across the tunnel.

From the client side:

Post authentication and tunnel establishment, the client enables the AnyConnect virtual adapter and installs the routes (default or split tunnel networks). This basically redirects the traffic to the adapter, which then tunnels it to the ASA.

I hope this was what you were looking for.

Guy Jackson · ‎02-26-2020

Gents

When I try to connect outside of my infrastructure with AnyConnect using the configured name it will not connect saying unsuccessful name resolution. I can connect b using the IP of the device though.

Once connected I cannot use any resources unless I use their IPs. Share drives cannot be reached by name but have to use IPs, Websites too.

When I use AnyConnect within my infrastructure I do not have these issues.

Do you think the problem is with AnyConnect, the concentrator or a DNS issue outside of the VPN service?

Thanks for any info.