Guest

Cisco AnyConnect Secure Mobility Client

Release Notes for Cisco AnyConnect Secure Mobility Client, Release 2.5.x for Apple iOS

  • Viewing Options

  • PDF (176.2 KB)
  • Feedback
Release Notes for Cisco AnyConnect Secure Mobility Client 2.5.x, for Apple iOS

Table Of Contents

Release Notes for Cisco AnyConnect Secure Mobility Client 2.5.x, for Apple iOS

Introduction

Supported Apple iOS Devices

Changes in AnyConnect 2.5.5130

New Features in AnyConnect 2.5.5112

Pre-packaged Localization

Diagnostics Enhancements

Certificate Management

Profile Management

Localization Management

Additional URI Handler Command

Apple iOS AnyConnect Features

Adaptive Security Appliances Requirements

ASA Release Requirements

ASA AnyConnect License Requirements

Known Issues and Limitations

Known Issues in AnyConnect 2.5.5130

Fixed Issues in AnyConnect 2.5.5130

Fixed Issues in AnyConnect 2.5.5112

Known Issues in Apple iOS Impacting VPN

Apple iOS Permits All Local LAN Traffic with Tunnel-all

Guidelines and Limitations

AnyConnect Support Policy

End-User License Agreement

OpenSSL Project

Related Documentation


Release Notes for Cisco AnyConnect Secure Mobility Client 2.5.x, for Apple iOS


Updated: April 27, 2012

This document includes the following sections:

Introduction

Supported Apple iOS Devices

Changes in AnyConnect 2.5.5130

New Features in AnyConnect 2.5.5112

Apple iOS AnyConnect Features

Adaptive Security Appliances Requirements

Known Issues and Limitations

AnyConnect Support Policy

End-User License Agreement

OpenSSL Project

Related Documentation

Introduction

These release notes provide only Apple iOS-specific information for the Cisco Secure Mobility client. This document supplements the Cisco AnyConnect Administrator Guides. You can deploy later releases of AnyConnect for other devices simultaneously with this release.

This release of AnyConnect provides remote users with secure VPN connections to the Cisco ASA 5500 Series using the Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol.

This release provides seamless and secure remote access to enterprise networks. The client provides a full tunneling experience that allows any installed application to communicate as though connected directly to the enterprise network. It runs on the Apple iPhone, iPad, and iPod Touch supporting connections to IPv4 and IPv6 resources over an IPv4 network tunnel. The client installation software is available on the Apple iTunes App Store. The App store provides all AnyConnect for Apple iOS distributions and updates.


Note The adaptive security appliance (ASA) does not provide AnyConnect for Apple iOS distributions and updates.


Supported Apple iOS Devices

This release supports the following Apple devices:

Device
Apple iOS Release Required

iPad/iPad 2 WiFi and 3G

4.2.1 or later

iPhone 3G/3GS/4

4.1 or later

iPhone 4S

5.0 or later

iPod Touch (2nd Generation or later)

4.1 or later



Note AnyConnect on the iPod Touch appears and operates as on the iPhone. Use the iPhone AnyConnect User Guide for this device.


Changes in AnyConnect 2.5.5130

No new features have been added to his release. See Fixed Issues in AnyConnect 2.5.5130 for changes in this release.

New Features in AnyConnect 2.5.5112

Pre-packaged Localization

The following language translations are included in the AnyConnect package:

Czech (cs-cz)

German (de-de)

Latin American Spanish (es-co)

Canadian French (fr-ca)

Japanese (ja-jp)

Korean (ko-kr)

Polish (pl-pl)

Simplified Chinese (zh-cn)

Localization data for these languages is installed on the device when AnyConnect is installed. The displayed language is determined by the locale specified in Settings > General > International > Language. AnyConnect uses the language specification, then the region specification, to determine the best match. For example, after installation, a French-Switzerland (fr-ch) locale setting results in a French-Canadian (fr-ca) display. AnyConnect UIs and messages are translated as soon as AnyConnect starts. The selected localization is noted as Active in the AnyConnect Localization Management screen.

Diagnostics Enhancements

Diagnostic information and activities available to the AnyConnect user have been enhanced in the following ways:

On the iPhone, all logged information is now contained on the Logs screen. Users now view AnyConnect messages, Service debug logs, and App debug logs from this screen. Also, all messages and logs are cleared using Clear Logs on this screen.

Users can now easily Email Logs... directly to Cisco by choosing Cisco as the recipient of the email.

System information relevant to the operation of the AnyConnect client is now assembled and easily accessible from the System Information screen.

Users can now manage Certificates, Profiles, and Localization Data on their own device. See the following for management details:,

Certificate Management

Profile Management

Localization Management

Certificate Management

Users now have the ability to view and manage AnyConnect certificates from the new Diagnostics screen. The user performs these tasks:

Import a certificate by tapping Import Certificate...

Delete all certificates by tapping the Delete All Certificates.

Browse all certificates available to AnyConnect.

View details of each certificate by selecting the expansion icon.

Delete individual certificates by choosing Edit and selecting each certificate to be deleted.

See "Viewing and Managing Certificates" in the appropriate User Guide for detailed procedures.

Profile Management

The AnyConnect VPN Client Profile is an XML file that specifies client behavior and identifies VPN connections. Each connection entry in the VPN Client Profile specifies a secure gateway that is accessible to this endpoint device as well as other connection attributes, policies, and constraints. These connection entries, in addition to the VPN connections configured locally on the device by the user, are listed on the AnyConnect home screen to choose from when initiating a VPN connection.

Administrators use the AnyConnect Profile Editor to edit the VPN Client Profile XML file, configuring connection entries and client features for mobile devices. Administrators choose how to distribute the client profile by configuring the security appliance to upload a client profile onto the mobile device upon VPN connectivity, by providing the user with an AnyConnect URI link to import a client profile, or by defining a procedure for the user to manually import a client profile. See the AnyConnect Administrators Guide for details and procedures on configuring and deploying Client Profiles.


Note AnyConnect retains only one VPN Client Profile on the device at a time.


Users now have the ability to manage the AnyConnect VPN Client Profile on their device in the Diagnostics screen. Users perform these tasks:

View client profile details by turning Show Profile ON.

Delete the current client profile by tapping the Delete Profile button and confirming this action. Connection entries that were defined in the profile are cleared from the AnyConnect home screen, and AnyConnect client behavior conforms to default client specifications.

Import an XML profile by tapping the Import Profile... button and specifying the URL of a new profile. Connection entries defined in this profile appear in the AnyConnect home screen immediately, and AnyConnect client behavior conforms to this profile's specifications.


Note Only Delete Profile is available to users running iOS versions before 5.0 (Ice Cream Sandwich).


See "Viewing and Managing the AnyConnect Profile" in the appropriate User Guide for detailed procedures.

Localization Management

Users can now manage localization data on their own device in the Diagnostics screen. Users perform these localization activities:

Import localization data from a specified server. The user selects Import Localization and then specifies the address of the secure gateway and the locale. The locale is specified per ISO 639-1, with the country code added if applicable (for example, en-US, fr-CA, ar-IQ, and so on). This localization data is used in place of the pre-packaged installed localization data.

Restore default localization data. Selecting Restore Localization restores the use of the pre-loaded localization data from the AnyConnect package. Imported localization data remains on the device but is not used.

See "Managing Localization" in the appropriate User Guide for detailed procedures.

Additional URI Handler Command

The URI handler supported lets other applications pass action requests in the form of Universal Resource Indicator (URIs) to AnyConnect. Administrators insert URIs into webpages or applications for the users' convenience. This release provides an additional URI handler feature:

Import AnyConnect VPN Client Profile: Use the URI handler import command to distribute a profile to an AnyConnect client.

See Using the URI Handler to Automate AnyConnect Actions for instructions on providing a URI to import a client profile and all other URI commands.


Note AnyConnect URI handling is Disabled by default. Device users allow this functionality by selecting Settings > AnyConnect > External Control and choosing Enable or Prompt.


Apple iOS AnyConnect Features

We support the following AnyConnect features in AnyConnect 2.5.x for Apple iOS:

Tunnel Protocols

Cisco SSL Tunneling Protocol (CSTP)

Cisco DTLS Tunneling Protocol (CDTP)

SSL Cipher Suites

AES256-SHA

AES128-SHA

DES-CBC3

RC4-SHA

RC4-MD5

DES-CBC-SHA

DTLS Cipher Suites

AES256-SHA

AES128-SHA

DES-CBC3

DES-CBC-SHA

Authentication

Client Certificate Authentication

Routing Policy

Tunnel All

Split Include

Split Exclude

Simultaneous full-tunnel and clientless connections

Rekey

Network Roaming

TLS Compression

Cisco Profile Support

Profile Update

IPv6 over IPv4

Post-Login Banner

Dead Peer Detection

Tunnel Keepalive

Backup Server List

Default Domain

Cluster Support

DNS Server Configuration

Private-side Proxy Support

Network Change Monitoring

Statistics

Graphical User Interface

Pre-login Banner

AnyConnect Secure Certificate Enrollment Protocol (SCEP)

Certificate Management

Import a certificate using the client interface or URI command.

Delete a certificate or all certificates on the device

Connect on Demand (compatible with Apple iOS Connect on Demand)

Mobile Posture

Localization


Note The SCEP references in this document apply exclusively to AnyConnect SCEP, not Apple iOS SCEP.


Adaptive Security Appliances Requirements

Only ASA models support the Cisco AnyConnect Secure Mobility client for Apple iOS. See the Adaptive Security Appliance VPN Compatibility Reference for a complete list of compatibility requirements.


Note Routers running Cisco IOS VPN do not currently support AnyConnect for Apple iOS.


ASA Release Requirements

Table 1 shows the minimum Cisco ASA 5500 software images that support AnyConnect.

Table 1 Software Images that Support AnyConnect, Release 2.5.x for Apple iOS 4.2.x, 4.3.x, and 5.0.x

Image Type
Version

ASA Boot image

8.0(4) or later

Adaptive Security Device Manager (ASDM)

6.1(3) or later


ASA AnyConnect License Requirements

AnyConnect for Apple iOS connections require the following licenses on the ASA:

An AnyConnect core license granting SSL VPN access for a total number of simultaneous sessions. Satisfy this requirement with one of the following options, each which supports full client access from the desktop: Cisco AnyConnect Essentials license or Cisco AnyConnect Premium Clientless SSL VPN Edition license.

AnyConnect Mobile license for mobile device access.

These licenses are mutually exclusive per ASA, but you can configure a mixed network. Both the AnyConnect Essentials and AnyConnect Mobile licenses are nominally priced. We offer the following trial options:

If you have an AnyConnect Essentials or Premium license and you would like to obtain a three-month trial Mobile AnyConnect license, go to the following website: https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=717

If you would like to obtain both an AnyConnect Essentials or Premium license and an AnyConnect Mobile license, or you have questions about licensing, email us a request with the show version output from your ASA to ac-mobile-license-request@cisco.com.

For brief descriptions and example product numbers (SKUs) of the AnyConnect user license options, see Cisco Secure Remote Access: VPN Licensing Overview.

For the latest details about the AnyConnect user license options, see Managing Feature Licenses in the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3.

Known Issues and Limitations

Known Issues in AnyConnect 2.5.5130

Table 2 Known Issues in AnyConnect 2.5.5130

Identifier
Headline

CSCti85655

Various issues with the launch image.

CSCti95974

Inconsistent statistics panel behavior.

CSCto94510

AC non-WinX clients are not requesting entire certificate chain.

CSCts89292

AC for iPhone DNS queries ignore .local domains.

CSCtt44916

iPhone: Message at the bottom of the "Domain List" should be modified.

CSCty36621

Cannot establish VPN connections when using non-UTF-8 localization files.


Fixed Issues in AnyConnect 2.5.5130

Table 3 Fixed Issues in AnyConnect 2.5.51230

Identifier
Headline

CSCty80399

Unable to connect to Cisco IOS head-ends.

CSCty83904

Allow end-user to edit "Network Roaming" setting for IPCU fields

CSCty86575

AnyConnect for Apple iOS fails to synchronize profile if locked by MDM.


Fixed Issues in AnyConnect 2.5.5112

Table 4 Fixed Issues in Release 2.5.5112

Bug ID
Headline

CSCts89232

AC for iPhone DNS queries default domain last if split-dns is configured

CSCtw95755

Anyconnect on iPhone does not show installed certificates

CSCtx42901

AC for iPhone fails on iOS 5.x when DNS Load Balancing is taking place

CSCtx66669

Profile updates aren't getting imported if On-Demand is used to connect

CSCtx92325

AnyConnect needs to be installed before API can be used


Known Issues in Apple iOS Impacting VPN

We have reported the following iOS issues to Apple. They may be resolved in a future iOS release.

A DTLS packet received while the device is asleep does not awaken it. TLS packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.

Voice applications running in the background on an iPod Touch cannot receive packets over VPN. This functionality works as expected on iPhone devices.

If a VPN configuration contains a large number of routes or split-dns rules, the Apple device cannot establish a VPN connection. This bug occurs, for example, if, upon connection, an ASA configuration pushes a VPN split-include list that has 70 or more rules that direct traffic to individual subnets. To prevent this bug from impacting users, apply a tunnel-all configuration or reduce the number of rules.

AnyConnect may become slow or crash when there are a large number of VPN connections configured on the mobile device.

Customers who wish to tunnel IPv6 traffic should upgrade their iPhones and iPads to iOS 5.0 or later. Known problems exist in iOS 4.3 that prevent AnyConnect from processing IPv6 traffic properly due to the inability to set default IPv6 routes.

Apple iOS Permits All Local LAN Traffic with Tunnel-all

Apple iOS permits traffic that is essential for the core operation of the device, regardless of whether a tunnel-all policy is in force. Examples of traffic that Apple iOS sends in the clear regardless of the tunnel policy include:

All local LAN traffic

Scoped routes for preexisting connections (for example, a video being streamed before VPN comes up)

Core Apple services (for example, Visual Voice mail traffic)

Guidelines and Limitations

This release of AnyConnect for Apple iOS supports only the features that are strictly related to remote access.

AnyConnect supports the following types of VPN configurations:

Manually generated.

AnyConnect VPN client profile imported.

iPhone Configuration Utility generated. For details about the iPhone Configuration Utility see http://www.apple.com/support/iphone/enterprise/

The VPN configurations generated by the iPhone Configuration Utility do not support Network Roaming. If your users require Network Roaming, use an AnyConnect profile.

The Apple iOS device supports no more than one AnyConnect VPN client profile. The contents of the generated configuration always matches the most recent profile. For example, if a user goes to vpn.example1.com and then goes to vpn.example2.com, the AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.

This release supports the tunnel keepalive feature; however, it can reduce the battery life of the device. Increasing the update interval value can mitigate that issue.

AnyConnect collects device information when the UI is launched and a VPN connection is initiated. Therefore, there are circumstances in which AnyConnect can mis-report mobile posture information if the user relies on iOS's Connect on Demand feature to make a connection initially, or after device information, such has the OS version, has changed.

In Apple iOS 4.x, some AnyConnect prompt strings will not be translated.

In Apple iOS 4.x, when AnyConnect downloads a new VPN profile during an on-demand connection, the user will not see the new connection entries from this profile until they launch the AnyConnect UI and initiate a VPN connection. When this sequence occurs in Apple iOS 5 and later, the user will be notified that a profile has been downloaded, and they need to only launch the GUI to see the connection entries.

AnyConnect Support Policy

Cisco supports all AnyConnect software versions downloaded from the iTunes App Store; however, fixes and enhancements are provided only in the most recently released version. Cisco is not able to provide earlier versions of AnyConnect for Apple iOS as only the most recently released version is available from the iTunes App Store.

End-User License Agreement

For the end-user license agreement, go to: http://www.cisco.com/univercd/cc/td/doc/es_inpck/eu1jen__.pdf

OpenSSL Project

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

For Open Source License information for this product, see the following link:

http://www.cisco.com/en/US/docs/security/asa/asa83/license_standalone/open_source/opensrce.html

Related Documentation

For more information, refer to the following related documentation:

User Guide

iPhone User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.5

iPad User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.5

Release Notes

Release Notes for Cisco AnyConnect Secure Mobility Client, Release 2.5

Administrator Guide

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5

Other

Navigating the Cisco ASA 5500 Series Documentation

Additional information on using VPN connections with Apple iOS devices is available from Apple:

http://developer.apple.com/library/ios/search/?q=VPN+Server+Configuration

http://support.apple.com/kb/HT1424

http://images.apple.com/iphone/business/docs/iPhone_VPN.pdf