Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
Communicating User Guidelines
Downloads: This chapterpdf (PDF - 120.0KB) The complete bookPDF (PDF - 5.12MB) | Feedback

Communicating User Guidelines

Table Of Contents

Communicating User Guidelines

Responding to a TUN/TAP Error Message with Mac OS X 10.5

64-bit Internet Explorer Not Supported

Avoiding the Wireless Hosted Network

Mac OS X 10.6 Sends All DNS Queries in the Clear

Start Before Logon and DART Installation

Responding to a Quarantine State

Using the AnyConnect CLI Commands to Connect (Standalone Mode)

Setting the Secure Connection (Lock) Icon

AnyConnect Hides the Internet Explorer Connections Tab


Communicating User Guidelines


Please consider communicating the following guidelines to your VPN users, or use this section as a reference when responding to user requests for guidance. The following topics are covered:

Responding to a TUN/TAP Error Message with Mac OS X 10.5

64-bit Internet Explorer Not Supported

Avoiding the Wireless Hosted Network

Mac OS X 10.6 Sends All DNS Queries in the Clear

Start Before Logon and DART Installation

Responding to a Quarantine State

Using the AnyConnect CLI Commands to Connect (Standalone Mode)

Setting the Secure Connection (Lock) Icon

Responding to a TUN/TAP Error Message with Mac OS X 10.5

During the installation of AnyConnect on Mac OS X 10.5 and earlier versions, the following error message sometimes appears:

A version of the TUN virtual network driver is already installed on this system that is 
incompatible with the AnyConnect client. This is a known issue with OS X version 10.5 and 
prior, and has been resolved in 10.6. Please uninstall any VPN client, speak with your 
System Administrator, or reference the AnyConnect Release Notes for assistance in 
resolving this issue.
 
   

Mac OS X 10.6 resolves this issue because it provides the version of the TUN/TAP virtual network driver AnyConnect requires.

Versions of Mac OS X earlier than 10.6 do not include a TUN/TAP virtual network driver, so AnyConnect installs its own on these operating systems. However, some software such as Parallels, software that manages data cards, and some VPN applications install their own TUN/TAP driver. The AnyConnect installation software displays the error message above because the driver is already present, but its version is incompatible with AnyConnect.

To install AnyConnect, you must remove the TUN/TAP virtual network driver.


Note Removing the TUN/TAP virtual network driver can cause issues with the software on your system that installed the driver in the first place.


To remove the TUN/TAP virtual network driver, open the console application and enter the following commands:

sudo rm -rf /Library/Extensions/tap.kext

sudo rm -rf /Library/Extensions/tun.kext

sudo rm -rf /Library/StartupItems/tap

sudo rm -rf /Library/StartupItems/tun

sudo rm -rf /System/Library/Extensions/tun.kext

sudo rm -rf /System/Library/Extensions/tap.kext

sudo rm -rf /System/Library/StartupItems/tap

sudo rm -rf /System/Library/StartupItems/tun

After entering these commands, restart Mac OS, then re-install AnyConnect.

64-bit Internet Explorer Not Supported

AnyConnect installation via WebLaunch does not support 64-bit versions of Internet Explorer. If using Windows on x64 (64-bit), use the 32-bit version of Internet Explorer or Firefox to install WebLaunch. At this time, Firefox is available only in a 32-bit version.

Avoiding the Wireless Hosted Network

Using the Windows 7 Wireless Hosted Network feature can make AnyConnect unstable. When using AnyConnect, we do not recommend enabling this feature or running front-end applications that enable it (e.g., Connectify or Virtual Router).

Mac OS X 10.6 Sends All DNS Queries in the Clear

With split-DNS enabled, Mac OS X 10.6 sends all DNS queries in the clear. It should send DNS queries targeting split-DNS domains over the VPN session. Apple plans to resolve this issue in an upcoming update.

Start Before Logon and DART Installation

The Start Before Logon component requires that AnyConnect be installed first.

If SBL or DART is manually uninstalled from an endpoint that then connects, these components will be re-installed. This behavior will only occur if the head-end configuration specifies that these components be installed and the preferences (set on the endpoint) permit upgrades.

Responding to a Quarantine State

An endpoint that does not comply with corporate policies for access shows a network status of Quarantined on the AnyConnect Connection tab.

An ACL assigned to a dynamic access policy applied to a quarantined session typically grants access only to remediation services such as antivirus and antispyware updates.

A session in a quarantined state must have sufficient time to remediate the endpoint. Following this time period, the user must click Reconnect to exit the state and start a new posture assessment.

Using the AnyConnect CLI Commands to Connect (Standalone Mode)

The Cisco AnyConnect VPN Client provides a CLI for users who prefer to issue commands instead of using the graphical user interface. The following sections describe how to launch the CLI command prompt.

For Windows

To launch the CLI command prompt and issue commands on a Windows system, locate the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN Client. Double-click the file vpncli.exe.

For Linux and Mac OS X

To launch the CLI command prompt and issue commands on a Linux or Mac OS X system, locate the file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn.

If you run the CLI in interactive mode, it provides its own prompt. You can also use the command line. Table 2-1 shows the CLI commands.

Table 2-1 AnyConnect Client CLI Commands

Command
Action

connect IP address or alias

Client establishes a connection to a specific ASA.

disconnect

Client closes a previously established connection.

stats

Displays statistics about an established connection.

quit

Exits the CLI interactive mode.

exit

Exits the CLI interactive mode.


The following examples show the user establishing and terminating a connection from the command line:

Windows

connect 209.165.200.224

Establishes a connection to a security appliance with the address 209.165. 200.224. After contacting the requested host, the AnyConnect client displays the group to which the user belongs and asks for the user's username and password. If you have specified that an optional banner be displayed, the user must respond to the banner. The default response is n, which terminates the connection attempt. For example:

VPN> connect 209.165.200.224
	>>contacting host (209.165.200.224) for login information...
	>>Please enter your username and password.
Group: testgroup
Username: testuser
Password: ********
	>>notice: Please respond to banner.
VPN> 
STOP! Please read. Scheduled system maintenance will occur tonight from 1:00-2:00 AM for 
one hour. The system will not be available during that time.
 
   
accept? [y/n] y
	>> notice: Authentication succeeded. Checking for updates...
	>> state: Connecting
	>> notice: Establishing connection to 209.165.200.224.
	>> State: Connected
	>> notice: VPN session established.
VPN>
 
   
stats

Displays statistics for the current connection; for example:

VPN> stats
[ Tunnel Information ]
 
   
	Time Connected:	01:17:33
	Client Address:	192.168.23.45
	Server Address:	209.165.200.224
 
   
[ Tunnel Details ]
 
   
	Tunneling Mode:	All Traffic
	Protocol: DTLS
	Protocol Cipher: RSA_AES_256_SHA1
	Protocol Compression: None
 
   
[ Data Transfer ]
 
   
	Bytes (sent/received): 1950410/23861719
	Packets (sent/received): 18346/28851
	Bypassed (outbound/inbound): 0/0
	Discarded (outbound/inbound): 0/0
 
   
[ Secure Routes ]
 
   
	Network			Subnet
	0.0.0.0			0.0.0.0
VPN>
 
   
disconnect

Closes a previously established connection; for example:

VPN> disconnect
	>> state: Disconnecting
	>> state: Disconnected
	>> notice: VPN session ended.
VPN>

quit or exit

Either command exits the CLI interactive mode; for example:

quit
goodbye
	>>state: Disconnected
 
   

Linux or Mac OS X

/opt/cisco/vpn/bin/vpn connect 1.2.3.4 

Establishes a connection to an ASA with the address 1.2.3.4.

/opt/cisco/vpn/bin/vpn connect some_asa_alias

Establishes a connection to an ASA by reading the profile and looking up the alias some_asa_alias in order to find its address.

/opt/cisco/vpn/bin/vpn stats

Displays statistics about the vpn connection.

/opt/cisco/vpn/bin/vpn disconnect

Disconnect the vpn session if it exists.


Setting the Secure Connection (Lock) Icon

The Lock icon indicates a secure connection. Windows XP automatically hides this icon among those that have not been recently used. Users can prevent Windows XP from hiding this icon by following this procedure:


Step 1 Go to the taskbar where the tray icons are displayed and right click the left angle bracket ( < ).

Step 2 Select Customize Notifications...

Step 3 Select Cisco Systems AnyConnect VPN Client and set to Always Show.


AnyConnect Hides the Internet Explorer Connections Tab

Under certain conditions, AnyConnect hides the Connections tab located in Internet Explorer Tools, Internet Options. When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies regarding that tab. The conditions under which this lockdown occurs are either of the following:

The ASA configuration specifies a private-side proxy.

AnyConnect uses a public-side proxy defined by Internet Explorer to establish the tunnel. In this case, the split tunneling policy on the ASA must be set to Tunnel All Networks.