03-06-2023 07:08 AM
Hi,
We are testing upgrading from a very old version of Cisco Anyconnect (4.6)
To a Newer 4.10 version due to DH group limitations.
When testing the newer version, the client no longer connects as Ikev2 IPSec connection and looks to be "Anyconnect-Parent SSL-Tunnel DTLS-Tunnel.
Is there a knowledgeable person that can explain to me if this is a good expected result and if this is the path forward for the anyconnect client? Sorry I'm still learning.
Solved! Go to Solution.
04-19-2023 07:46 AM
@Rob Ingram @MHM Cisco World @Marvin Rhoads My issue is now resolved. I needed to disable Anyconnect Essentials as explained in this forum.
03-06-2023 07:12 AM - edited 03-06-2023 07:20 AM
@KGrev You have to explictly configure IPsec in the XML profile, if you do not anyconnect will connect using DTLS/TLS. So I assume you don't have a profile configured to use IPSec.
Download and install the AnyConnect Profile Editor and use the VPN Profile Editor to create the XML configuration profile and configure IPSec under the Server List. Save the profile to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
If you are upgrading to AnyConnect 4.10 from 4.6 you will be able to use DTLS1.2 (assuming your ASA version supports it), this is comparable performance to IPSec and much better performance than DTLS 1.0.
03-06-2023 07:28 AM
@Rob IngramThanks for the support. I assumed the profile wasn't the issue since I copied it from a 4.6 device but I will double check it. In your opinion are there any drawback from using dtls1.2 compared to ipsec?
03-06-2023 07:32 AM
03-06-2023 07:38 AM - edited 03-06-2023 07:40 AM
@Rob IngramWhen I look at the profile on the client it appears to be set for ipsec.
03-06-2023 07:48 AM
@KGrev is all you've done is upgrade anyconnect?
I assume the ASA configuration is unchanged? and IKEv2 is enabled under the group-policy attached to the tunnel-group?
03-06-2023 07:49 AM - edited 03-06-2023 07:50 AM
@Rob IngramYes sir, only changes were on the laptop
Other laptops are still connecting to the current setup as ikev2
03-06-2023 08:00 AM
It appears that for some reason the client is being assigned to the incorrect group-policy on the ASA. When they connect, check the output of "'show vpn-sessiondb detailed anyconnect filter name <username>". Compare the assigned tunnel-group (connection profile) and group-policy with a working user.
03-06-2023 08:12 AM
@Marvin Rhoads @MHM Cisco World Thanks for your response. Here is the output showing two different tunnels on two latops under my username.
FW1-EXT/pri/act# show vpn-sessiondb detail anyconnect filter name
Session Type: AnyConnect Detailed
Username : kenny.########### Index : 71768
Assigned IP : A.B.242.45 Public IP : A.B.131.137
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA256
Bytes Tx : 54314263 Bytes Rx : 61112796
Pkts Tx : 101579 Pkts Rx : 116034
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ABCSRGroupPolicy1 Tunnel Group : ABCSR
Login Time : 14:23:06 UTC Mon Mar 6 2023
Duration : 1h:41m:01s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a02158a118580006405f74a
Security Grp : none
Username : kenny.@@@@@@@@@@@ Index : 71819
Assigned IP : A.B.242.46 Public IP : A.B.153.124
Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent
License : AnyConnect Essentials
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 AnyConnect-Parent: (1)none
Hashing : IKEv2: (1)SHA256 IPsecOverNatT: (1)SHA1 AnyConnect-Parent: (1)none
Bytes Tx : 99977 Bytes Rx : 48387
Pkts Tx : 225 Pkts Rx : 291
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ABCSRGroupPolicy1 Tunnel Group : ABCSR
Login Time : 16:07:04 UTC Mon Mar 6 2023
Duration : 0h:00m:42s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a02158a1188b00064060fa8
Security Grp : none
03-06-2023 08:20 AM
you see public IP is change so even if same username/paswword the session is different.
03-06-2023 08:24 AM
@MHM Cisco WorldYes, I stated it was different sessions to compare results.
03-06-2023 08:20 AM
@KGrev so what's the difference in the client configuration on those 2 laptops?
The tunnel-group/group-policy is obviously allowing ikev2 and ssl-client connections, so is one laptop configured with an XML profile to explictly use IKEv2/IPSec and the other laptop not configured with a profile, hence the DLTS tunnel?
03-06-2023 08:27 AM
@Rob IngramI think I see the issue. I placed my previous profile in the same place as the other laptops but there is a "MgmtTun" folder one step deeper that has the new "anyconnectProfile.xsd" file. Its probably because I havent edited that file.
03-06-2023 08:30 AM
@KGrev unlikely, you shouldn't have to modify the Mgmt Tunnel for a user VPN.
03-06-2023 08:33 AM
@Rob Ingramyou're right, it even connected fine with I moved to file out of the folder. It feels like I don't have the correct profile in the right place or its just not using it for some reason.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide