Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2560
Views
3
Helpful
25
Replies

How does the Anyconnect Client decide its proposals?

Go to solution
KGrev
Level 4
Level 4

‎03-14-2023 06:53 AM

Good morning,

Just as the title says I'm just curious if there is a xml for settings or a certificate that dictates what Proposals the Anyconnect Client will offer to its VPN Endpoint when it starts its Ikev2 negotiation. I do know that the XML at Cisco>Cisco Anyconnect Secure Mobility Client>Profile is where I can set IPSEC. But I'm more interested in what dictates what proposals it makes.

Thanks for any help!

0 Helpful
25 Replies 25

Go to solution
KGrev
Level 4
Level 4
In response to Gustavo Medina

‎04-11-2023 12:57 PM

@Gustavo MedinaI'm doing a "show Version" on the ASA.

Looks like I have "ASA5585-SSP-60 VPN Premium License"

0 Helpful

Go to solution
KGrev
Level 4
Level 4
In response to KGrev

‎04-11-2023 12:59 PM

@Gustavo Medina 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-license.html#66278

I'm guessing from the license that I have that I do not have Anyconnect Essentials from this chart? How does this effect me?

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎04-11-2023 01:05 PM

Can you share the "sh version"?

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎04-11-2023 01:20 PM - edited ‎04-11-2023 02:30 PM

Ah ok, you do have Anyconnect essentials which was part of the old licensing model. That seems to be the problem then. You also have 10000 Anyconnect Premium so just disable essentials as follows and try to connect:

 

webvpn
  no anyconnect-essentials

 

You can see here that Apex (now Premier) is needed for IKEv2 Suite-B https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/feature/guide/anyconnect4tenfeatures.html

0 Helpful

Go to solution
KGrev
Level 4
Level 4
In response to Gustavo Medina

‎04-11-2023 01:22 PM

@Gustavo MedinaThanks for your help.

Can you explain like I'm a child what will happen when I type that command. I'll have to brief my higher ups just in case.

0 Helpful

Go to solution
KGrev
Level 4
Level 4
In response to KGrev

‎04-11-2023 01:33 PM

Also @Gustavo Medina , I have many devices currently running Anyconnect 4.6 connecting with ikev2. Is this just a requirement for 4.10?

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎04-11-2023 01:55 PM - edited ‎04-11-2023 02:11 PM

Sure, history time (feeling old now). In the very old days (Anyconnect 2.x and 3.x) we had a different licensing model: Anyconnect Essentials, Anyconnect Premium and add-ons like Anyconnect for mobile, Anyconnect for Phones, Advanced Endpoint Assesment.

Anyconnect Essentials allowed just basic VPN connection via SSL or IKEv2, this was intended for customers coming from the legacy IPSec VPN Client that did not need advanced features of anyconnect or clientless.

Then starting with Anyconnect 4.x we simplified the licensing model and started offering Anyconnect Plus and Anyconnect Apex (now rebranded to Anyconnect Advantage and Anyconnect Premier) https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/secure-client-og.html#3Licenses

In this picture you can see the features mapping from the old licensing model to the new one:

Screenshot 2023-04-11 at 14.30.59.png

Essentials and Premium are discontinued licenses and should not co-exist with Advantage (formerly Plus) or Apex (formerly Apex). The old licensing model applied only to Anyconnect 3.x which is EoL:

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/eos-eol-notice-c51-734084.html 
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc28 
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc42

- You need to make sure you have the right licensing to be compliant.

- Essentials should not even be configured as it's discontinued.

- Disabling essentials with the "no anyconnect-essentials" will not have any impact in terms of number of users as you have the same amount of Premium Licenses (10K) from the "sh version". 

- After 4.9 since we removed unsecure algorithms, Anyconnect clients will not be able to establish IKEv2 sessions to headends with anyconnect-essentials enabled or Advantage (formerly Plus). It will require Premier (formerly Apex): https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/secure-client-og.html#3Licenses

Go to solution
KGrev
Level 4
Level 4
In response to Gustavo Medina

‎04-12-2023 06:23 AM

@Gustavo MedinaThis is sounding good. I'm hoping to get approved to try this soon.

And nothing happens to the clients that are still running the 4.6 version correct?

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎04-12-2023 09:36 AM

Correct.

0 Helpful

Go to solution
KGrev
Level 4
Level 4
In response to Gustavo Medina

‎04-19-2023 07:43 AM

@Gustavo MedinaThis fixed my issues. Thank you for your great help!

My 4.10 clients are now connected and it also allowed my 4.6 devices to connect at a higher group and encryption.

0 Helpful
Customers Also Viewed These Support Documents