Full support for Cisco Secure Client on Android is provided on devices running Android 4.0 (Ice Cream Sandwich) through the latest release of Android.

In order to use the Umbrella module for Cisco Secure Client for Android, you must have Android 6.0 or later.

Cisco Secure Client for Kindle Fire HD is available from Amazon for the Kindle Fire HD devices, and the New Kindle Fire. Secure Client for Kindle is equivalent in functionality to the Secure Client for Android package.

For all current Chromebooks, Cisco Secure Client for Android is officially supported and strongly recommended for the optimal Cisco Secure Client experience on ChromeOS. The native ChromeOS client is intended only for legacy Chromebooks incapable of running Android applications.

Per-App VPN is supported in managed and unmanaged environments. In a managed environment using Samsung KNOX MDM, Samsung devices running Android 4.3 or later with Samsung Knox 2.0, are required. When using Per App in an unmanaged environment, the generic Android methods are used.

For the Network Visibility Module (NVM) capabilities, Samsung devices that are running Samsung Knox 2.8 or later (including 3.3), which requires Android 7.0 or later, are required. For configuration of NVM, the Cisco Secure Client Profile Editor from Secure Client 4.4.3 (or later) is also required. Earlier releases do not support mobile NVM configurations.

In release 4.8.03645 (and later), Android offers the Cisco Umbrella module for Cisco Secure Client for Android 6.0.1 and later devices. This roaming client for managed and unmanaged Android devices provides DNS-layer protection, and this protection extends to both apps and browsing covered by the work profile.

A mobile device management system (MDM) is required to deploy this client to Android devices and to push the Umbrella configuration to the Android devices. For a list of supported MDMs and other prerequisites, see Prerequisites for Deploying the Umbrella Module forCisco Secure Client on Android OS.

Some features may have limitations in functionality:

• Per-app VPN does not work with the Umbrella Module because of OS restrictions. If remote access VPN is active, Umbrella protection will only apply to DNS traffic that is intercepted by the VPN tunnel. If remote access is configured for per-app VPN, Umbrella protection only applies to DNS traffic for the tunneled applications.

• Always-On VPN should not be used with the lockdown (Fail Close) option when using Umbrella protection because it stops internet access for the user when the VPN server is not reachable. Refer to your MDM guide to turn off the lockdown setting when Always-On is turned on.

For an explanation of the complete Umbrella feature set, refer to the Umbrella Module for AnyConnect (Android OS) documentation.

Because of a limitation from Google on Android OS, the application download may fail in the Google Play store after enabling the Umbrella Cisco Secure Client module. To avoid this, download the applications before enabling the Umbrella module. Google has fixed this behavior in Android OS "Q." For more information, see the Google issue tracker.

The following table indicates the remote access features that are supported by Cisco Secure Client on Android:

A minimum release of the Cisco Secure Firewall ASA is required to use the following features:

Note	Refer to the feature matrix for your platform to verify the availability of these features in the current Cisco Secure Client mobile release.

• SAML authentication —Secure Firewall ASA 9.7.1.24, 9.8.2.28, 9.9.2.1 or later. Make sure that both the client and server versions are up-to-date.

• TLS 1.3—Secure Firewall ASA 9.19.1 or later.

• TLS 1.2—Secure Firewall ASA 9.3.2 or later.

• Per-App VPN tunneling mode—Secure Firewall ASA 9.3.2 or later.

• IPsec IKEv2 VPN, Suite B cryptography, SCEP Proxy, or Mobile Posture—Secure Firewall ASA 9.0.

Cisco highly recommends that all users run the current version of our Android release, which is available on the Google play store. Additionally, an .apk version is available on Cisco.com for the current version only. In the unlikely event that the Google play store is unavailable, administrators who have access to the Cisco Secure Client software download page can get this version.

• If you are experiencing connectivity issues with the VPN tunnel on Android 10, try disabling Android 10 Private DNS functionality.

• IPv6 on public and private interfaces.

  IPv6 is supported on both private and public transports using Cisco Secure Client 4.05015 (and later), on Android 5 (and later). With this combination the following is now allowed: IPv4 over an IPv6 tunnel, IPv6 over an IPv6 tunnel.

  This is in addition to the previously allowed tunnel configurations on earlier Cisco Secure Client and Android releases: IPv4 over an IPv4 tunnel, and IPv6 over an IPv4 tunnel.

  Note	Due to Google issue 65572, IPv6 over IPv4 does not work on Android 4.4. You must use Android 5 or later.

• Battery saver and Cisco Secure Client:

  • Android 5.0 introduced battery saver capabilities that block background network connectivity on your device. When battery saver is enabled, Cisco Secure Client will transition to the Paused state if it is in the background. To work around this on Android 5.0, users may turn off battery saver via the device settings: Settings -> Battery -> Battery saver or from the notification bar.

  • In Android 6.0+, when Cisco Secure Client transitions to the Paused state as a result of battery saver, you see a popup with the option to make Cisco Secure Client part of the allowed list from battery saver mode. Making Cisco Secure Client part of the allowed list provides a battery savings without impacting it’s ability to run in the background.

  • Once Cisco Secure Client is paused due to the batter saver, a manual reconnect is necessary to bring Cisco Secure Client out of the Paused state, regardless of your action to turn off battery saver or to add Secure Client to the allowed list.

• Split DNS does not work on any Android 4.4 device, and also does not work on Samsung 5.x Android devices. For Samsung devices, the only workaround is to connect to a group with split DNS disabled. On other devices you must upgrade to Android 5.x to receive the fix for this problem.

  This is due to a known issue that is present in Android 4.4 ( Issue #64819), fixed in Android 5.x, but not incorporated into Samsung 5.x android devices.

• Due to a bug in Android 5.x (Google Issue #85758, Cisco Issue # CSCus38925), if the Secure Client app is closed from the recent apps screen, it may not operate properly. To restore proper operation, terminate Secure Client in Settings and then restart it.

• On Samsung mobile devices the Settings > Wi-Fi > Smart network switch allows switching from Wifi to LTE to maintain a stable Internet connection (when the WiFi connection is not optimum). This also results in a pause and reconnect of the active VPN tunnel. Cisco recommends turning this off, since it may result in continuous reconnects.

• On Android 5.0 (Lollipop), which supports multiple active users, the VPN connection tunnels data for a single user only, not for all users on the device. Background data flow may be occurring in the clear.

• Due to a bug in Android 4.3.1(Google Issue #62073), users using the Cisco Secure Client ICS+ package cannot enter non-fully qualified domain names. For example, users cannot type "internalhost," they must type "internalhost.company.com."

• The AT&T firmware updates on HTC One to Android 4.3 (software version: 3.17.502.3) do not support "HTC Cisco Secure Client." Customers must uninstall "HTC Cisco Secure Client" and install "Cisco Secure Client ICS+." (HTC Secure Client will work on the international edition, with software version of 3.22.1540.1). Check your software version on your device at Settings > About > Software information > Software number.

• We are pleased to report that Google Issue #70916 (VPN connections will fail to connect if the administrator has set the MTU for Android tunnels lower than 1280) has been resolved in Android 5.0 (Lollipop). The following problem information is provided for reference:

  Due to a regression in Android 4.4.3,( Google Issue #70916, Cisco CSCup24172), VPN connections will fail to connect if the administrator has set the MTU for Android tunnels lower than 1280. This issue has been reported to Google and will require a new version of the OS to correct the regression introduced in Android 4.4.3. To workaround this problem, ensure that the headend administrator has not configured the tunnel MTU to be lower than 1280.

  When encountered, the message displayed to the end user is: System configuration settings could not be applied. A VPN connection will not be established, and Secure Client debug logs will report:

  
  E/vpnandroid( 2419): IPCInteractionThread: NCSS: General Exception occured, telling client
  E/vpnandroid( 2419): java.lang.IllegalStateException: command '181 interface fwmark rule add tun0' 
  failed with '400 181 Failed to add fwmark rule (No such process)'
  E/vpnandroid( 2419): at android.os.Parcel.readException(Parcel.java:1473)
  E/vpnandroid( 2419): at android.os.Parcel.readException(Parcel.java:1419)
  E/vpnandroid( 2419): at 
  com.cisco.android.nchs.aidl.IICSSupportService$Stub$Proxy.establish
  (IICSSupportService.java:330)
  E/vpnandroid( 2419): at com.cisco.android.nchs.support.VpnBuilderWrapper.establish
  (VpnBuilderWrapper.java:137)
  E/vpnandroid( 2419): at com.cisco.android.nchs.support.NCSSIPCServer.callServiceMethod
  (NCSSIPCServer.java:233)
  E/vpnandroid( 2419): at 
  com.cisco.android.nchs.ipc.IPCInteractionThread.handleClientInteraction
  (IPCInteractionThread.java:230)
  E/vpnandroid( 2419): at com.cisco.android.nchs.ipc.IPCInteractionThread.run
  (IPCInteractionThread.java:90)
  E/acvpnagent( 2450): Function: ApplyVpnConfiguration 
  File: NcssHelper.cpp Line: 740 failed to establish VPN
  E/acvpnagent( 2450): Function: PluginResult AndroidSNAKSystem::configDeviceForICS() 
  File: AndroidSNAKSystem.cpp Line: 665 failed to apply vpn configuration
  E/acvpnagent( 2450): Function: virtual PluginResult AndroidSNAKSystem::ApplyConfiguration() 
  File: AndroidSNAKSystem.cpp Line: 543 Failed to Configure System for VPN.

• We are pleased to report that Android 4.4 (KitKat) bug Google Issue #61948 (Secure Client users will experience High Packet Loss over their VPN connection /users will experience timeouts) has been resolved in Google's release of Android 4.4.1 which Google has begun distributing to some devices via Software Update. The following problem information is provided for reference:

  Due to a bug in Android 4.4 (Issue #61948, also see the Cisco Support Update), Secure Client users will experience High Packet Loss over their VPN connection. This has been seen on the Google Nexus 5 running Android 4.4 with Secure Client ICS+. Users will experience timeouts when attempting to access certain network resources. Also, in the Secure Firewall ASA logs, a syslog message will appear with text similar to "Transmitting large packet 1420 (threshold 1405)."

  Until Google produces a fix for Android 4.4, VPN administrators may temporarily reduce the maximum segment size for TCP connections on the Cisco Secure Firewall ASA by configuring the following sysopt connection tcpmss <mss size>. The default for this parameter is 1380 bytes. Reduce this value by the difference between the values seen in the ASA logs. In the above example, the difference is 15 bytes; the value should thus be no more than 1365. Reducing this value will negatively impact performance for connected VPN users where large packets are transmitted.

• Cisco Secure Client for Android may have connectivity issues when connecting to a mobile network using the IPv6 transition mechanism known as 464xlat. Known affected devices include the Samsung Galaxy Note III LTE connecting to the T-Mobile US network. This device defaults to an IPv6 only mobile network connection. Attempting a connection may result in a loss of mobile connectivity until the device is rebooted.

  To prevent this problem, use the Cisco Secure Client ICS+ app, and change your device settings to obtain IPv4 network connectivity or connect using a Wi-Fi network. For the Samsung Galaxy Note III LTE connecting to the T-Mobile US network, follow the instructions provided by T-Mobile to set the Access Point Name (APN) on your device, making sure APN Protocol is set to IPv4.

• The Cisco Secure Client ICS+ package may have issues when a private IP address range within the VPN overlaps with the range of the outside interface of the client device. When this route overlap occurs, the user may be able to successfully connect to the VPN but then be unable to actually access anything. This issue has been seen on cellular networks which use NAT (Network Address Translation) and assign addresses within the 10.0.0.0 - 10.255.255.255 range. It is due to Cisco Secure Client having limited control of routes in the Android VPN framework. The vendor specific Android packages have full routing control and may work better in such a scenario.

• An Asus tablet running Android 4.0 (ICS) may be missing the tun driver. This causes AVF Cisco Secure Client to fail.

• Android security rules prevent the device from sending and receiving multimedia messaging service (MMS) messages while a VPN connection is up. Most devices and service providers display a notification if you try to send an MMS message while the VPN connection is up. Android permits sending and receiving of messages when the VPN is not connected.

• Due to Google Issue 41037, when pasting text from the clipboard, a space is inserted in front of the text. In Cisco Secure Client, when copying text such as a one time password, the user has to delete this erroneous white space.

For more information refer to the following documentation:

• Cisco Secure Client Release Notes

• Cisco Secure Client Administrator Guides

• Cisco Secure Firewall ASA Documentation Landing Page