Table Of Contents
Release Notes for Cisco AnyConnect Secure Mobility Client 2.5.x, for Apple iOS
Updated: April 27, 2012
This document includes the following sections:
These release notes provide only Apple iOS-specific information for the Cisco Secure Mobility client. This document supplements the Cisco AnyConnect Administrator Guides. You can deploy later releases of AnyConnect for other devices simultaneously with this release.
This release of AnyConnect provides remote users with secure VPN connections to the Cisco ASA 5500 Series using the Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol.
This release provides seamless and secure remote access to enterprise networks. The client provides a full tunneling experience that allows any installed application to communicate as though connected directly to the enterprise network. It runs on the Apple iPhone, iPad, and iPod Touch supporting connections to IPv4 and IPv6 resources over an IPv4 network tunnel. The client installation software is available on the Apple iTunes App Store. The App store provides all AnyConnect for Apple iOS distributions and updates.
Note The adaptive security appliance (ASA) does not provide AnyConnect for Apple iOS distributions and updates.
Supported Apple iOS Devices
This release supports the following Apple devices:
Device Apple iOS Release Required
iPad/iPad 2 WiFi and 3G
4.2.1 or later
4.1 or later
5.0 or later
iPod Touch (2nd Generation or later)
4.1 or later
Note AnyConnect on the iPod Touch appears and operates as on the iPhone. Use the iPhone AnyConnect User Guide for this device.
Changes in AnyConnect 2.5.5130
No new features have been added to his release. See Fixed Issues in AnyConnect 2.5.5130 for changes in this release.
New Features in AnyConnect 2.5.5112
The following language translations are included in the AnyConnect package:
•Latin American Spanish (es-co)
•Canadian French (fr-ca)
•Simplified Chinese (zh-cn)
Localization data for these languages is installed on the device when AnyConnect is installed. The displayed language is determined by the locale specified in Settings > General > International > Language. AnyConnect uses the language specification, then the region specification, to determine the best match. For example, after installation, a French-Switzerland (fr-ch) locale setting results in a French-Canadian (fr-ca) display. AnyConnect UIs and messages are translated as soon as AnyConnect starts. The selected localization is noted as
Activein the AnyConnect Localization Management screen.
Diagnostic information and activities available to the AnyConnect user have been enhanced in the following ways:
•On the iPhone, all logged information is now contained on the Logs screen. Users now view AnyConnect messages, Service debug logs, and App debug logs from this screen. Also, all messages and logs are cleared using Clear Logs on this screen.
•Users can now easily Email Logs... directly to Cisco by choosing Cisco as the recipient of the email.
•System information relevant to the operation of the AnyConnect client is now assembled and easily accessible from the System Information screen.
•Users can now manage Certificates, Profiles, and Localization Data on their own device. See the following for management details:,
Users now have the ability to view and manage AnyConnect certificates from the new Diagnostics screen. The user performs these tasks:
•Import a certificate by tapping Import Certificate...
•Delete all certificates by tapping the Delete All Certificates.
•Browse all certificates available to AnyConnect.
•View details of each certificate by selecting the expansion icon.
•Delete individual certificates by choosing Edit and selecting each certificate to be deleted.
See "Viewing and Managing Certificates" in the appropriate User Guide for detailed procedures.
The AnyConnect VPN Client Profile is an XML file that specifies client behavior and identifies VPN connections. Each connection entry in the VPN Client Profile specifies a secure gateway that is accessible to this endpoint device as well as other connection attributes, policies, and constraints. These connection entries, in addition to the VPN connections configured locally on the device by the user, are listed on the AnyConnect home screen to choose from when initiating a VPN connection.
Administrators use the AnyConnect Profile Editor to edit the VPN Client Profile XML file, configuring connection entries and client features for mobile devices. Administrators choose how to distribute the client profile by configuring the security appliance to upload a client profile onto the mobile device upon VPN connectivity, by providing the user with an AnyConnect URI link to import a client profile, or by defining a procedure for the user to manually import a client profile. See the AnyConnect Administrators Guide for details and procedures on configuring and deploying Client Profiles.
Note AnyConnect retains only one VPN Client Profile on the device at a time.
Users now have the ability to manage the AnyConnect VPN Client Profile on their device in the Diagnostics screen. Users perform these tasks:
•View client profile details by turning Show Profile ON.
•Delete the current client profile by tapping the Delete Profile button and confirming this action. Connection entries that were defined in the profile are cleared from the AnyConnect home screen, and AnyConnect client behavior conforms to default client specifications.
•Import an XML profile by tapping the Import Profile... button and specifying the URL of a new profile. Connection entries defined in this profile appear in the AnyConnect home screen immediately, and AnyConnect client behavior conforms to this profile's specifications.
Note Only Delete Profile is available to users running iOS versions before 5.0 (Ice Cream Sandwich).
See "Viewing and Managing the AnyConnect Profile" in the appropriate User Guide for detailed procedures.
Users can now manage localization data on their own device in the Diagnostics screen. Users perform these localization activities:
•Import localization data from a specified server. The user selects Import Localization and then specifies the address of the secure gateway and the locale. The locale is specified per ISO 639-1, with the country code added if applicable (for example, en-US, fr-CA, ar-IQ, and so on). This localization data is used in place of the pre-packaged installed localization data.
•Restore default localization data. Selecting Restore Localization restores the use of the pre-loaded localization data from the AnyConnect package. Imported localization data remains on the device but is not used.
See "Managing Localization" in the appropriate User Guide for detailed procedures.
Additional URI Handler Command
The URI handler supported lets other applications pass action requests in the form of Universal Resource Indicator (URIs) to AnyConnect. Administrators insert URIs into webpages or applications for the users' convenience. This release provides an additional URI handler feature:
•Import AnyConnect VPN Client Profile: Use the URI handler import command to distribute a profile to an AnyConnect client.
See Using the URI Handler to Automate AnyConnect Actions for instructions on providing a URI to import a client profile and all other URI commands.
Note AnyConnect URI handling is Disabled by default. Device users allow this functionality by selecting Settings > AnyConnect > External Control and choosing Enable or Prompt.
Apple iOS AnyConnect Features
We support the following AnyConnect features in AnyConnect 2.5.x for Apple iOS:
–Cisco SSL Tunneling Protocol (CSTP)
–Cisco DTLS Tunneling Protocol (CDTP)
•SSL Cipher Suites
•DTLS Cipher Suites
•Client Certificate Authentication
•Simultaneous full-tunnel and clientless connections
•Cisco Profile Support
•IPv6 over IPv4
•Dead Peer Detection
•Backup Server List
•DNS Server Configuration
•Private-side Proxy Support
•Network Change Monitoring
•Graphical User Interface
•AnyConnect Secure Certificate Enrollment Protocol (SCEP)
–Import a certificate using the client interface or URI command.
–Delete a certificate or all certificates on the device
•Connect on Demand (compatible with Apple iOS Connect on Demand)
Note The SCEP references in this document apply exclusively to AnyConnect SCEP, not Apple iOS SCEP.
Adaptive Security Appliances Requirements
Only ASA models support the Cisco AnyConnect Secure Mobility client for Apple iOS. See the Adaptive Security Appliance VPN Compatibility Reference for a complete list of compatibility requirements.
Note Routers running Cisco IOS VPN do not currently support AnyConnect for Apple iOS.
ASA Release Requirements
Table 1 shows the minimum Cisco ASA 5500 software images that support AnyConnect.
Table 1 Software Images that Support AnyConnect, Release 2.5.x for Apple iOS 4.2.x, 4.3.x, and 5.0.x
Image Type Version
ASA Boot image
8.0(4) or later
Adaptive Security Device Manager (ASDM)
6.1(3) or later
ASA AnyConnect License Requirements
AnyConnect for Apple iOS connections require the following licenses on the ASA:
•An AnyConnect core license granting SSL VPN access for a total number of simultaneous sessions. Satisfy this requirement with one of the following options, each which supports full client access from the desktop: Cisco AnyConnect Essentials license or Cisco AnyConnect Premium Clientless SSL VPN Edition license.
•AnyConnect Mobile license for mobile device access.
These licenses are mutually exclusive per ASA, but you can configure a mixed network. Both the AnyConnect Essentials and AnyConnect Mobile licenses are nominally priced. We offer the following trial options:
•If you have an AnyConnect Essentials or Premium license and you would like to obtain a three-month trial Mobile AnyConnect license, go to the following website: https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=717
•If you would like to obtain both an AnyConnect Essentials or Premium license and an AnyConnect Mobile license, or you have questions about licensing, email us a request with the show version output from your ASA to email@example.com.
For brief descriptions and example product numbers (SKUs) of the AnyConnect user license options, see Cisco Secure Remote Access: VPN Licensing Overview.
For the latest details about the AnyConnect user license options, see Managing Feature Licenses in the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3.
Known Issues and Limitations
Known Issues in AnyConnect 2.5.5130
Fixed Issues in AnyConnect 2.5.5130
Fixed Issues in AnyConnect 2.5.5112
Known Issues in Apple iOS Impacting VPN
We have reported the following iOS issues to Apple. They may be resolved in a future iOS release.
•A DTLS packet received while the device is asleep does not awaken it. TLS packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.
•Voice applications running in the background on an iPod Touch cannot receive packets over VPN. This functionality works as expected on iPhone devices.
•If a VPN configuration contains a large number of routes or split-dns rules, the Apple device cannot establish a VPN connection. This bug occurs, for example, if, upon connection, an ASA configuration pushes a VPN split-include list that has 70 or more rules that direct traffic to individual subnets. To prevent this bug from impacting users, apply a tunnel-all configuration or reduce the number of rules.
•AnyConnect may become slow or crash when there are a large number of VPN connections configured on the mobile device.
•Customers who wish to tunnel IPv6 traffic should upgrade their iPhones and iPads to iOS 5.0 or later. Known problems exist in iOS 4.3 that prevent AnyConnect from processing IPv6 traffic properly due to the inability to set default IPv6 routes.
Apple iOS Permits All Local LAN Traffic with Tunnel-all
Apple iOS permits traffic that is essential for the core operation of the device, regardless of whether a tunnel-all policy is in force. Examples of traffic that Apple iOS sends in the clear regardless of the tunnel policy include:
•All local LAN traffic
•Scoped routes for preexisting connections (for example, a video being streamed before VPN comes up)
•Core Apple services (for example, Visual Voice mail traffic)
Guidelines and Limitations
This release of AnyConnect for Apple iOS supports only the features that are strictly related to remote access.
•AnyConnect supports the following types of VPN configurations:
–AnyConnect VPN client profile imported.
–iPhone Configuration Utility generated. For details about the iPhone Configuration Utility see http://www.apple.com/support/iphone/enterprise/
•The VPN configurations generated by the iPhone Configuration Utility do not support Network Roaming. If your users require Network Roaming, use an AnyConnect profile.
•The Apple iOS device supports no more than one AnyConnect VPN client profile. The contents of the generated configuration always matches the most recent profile. For example, if a user goes to vpn.example1.com and then goes to vpn.example2.com, the AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.
•This release supports the tunnel keepalive feature; however, it can reduce the battery life of the device. Increasing the update interval value can mitigate that issue.
•AnyConnect collects device information when the UI is launched and a VPN connection is initiated. Therefore, there are circumstances in which AnyConnect can mis-report mobile posture information if the user relies on iOS's Connect on Demand feature to make a connection initially, or after device information, such has the OS version, has changed.
•In Apple iOS 4.x, some AnyConnect prompt strings will not be translated.
•In Apple iOS 4.x, when AnyConnect downloads a new VPN profile during an on-demand connection, the user will not see the new connection entries from this profile until they launch the AnyConnect UI and initiate a VPN connection. When this sequence occurs in Apple iOS 5 and later, the user will be notified that a profile has been downloaded, and they need to only launch the GUI to see the connection entries.
AnyConnect Support Policy
Cisco supports all AnyConnect software versions downloaded from the iTunes App Store; however, fixes and enhancements are provided only in the most recently released version. Cisco is not able to provide earlier versions of AnyConnect for Apple iOS as only the most recently released version is available from the iTunes App Store.
End-User License Agreement
For the end-user license agreement, go to: http://www.cisco.com/univercd/cc/td/doc/es_inpck/eu1jen__.pdf
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (firstname.lastname@example.org).
This product includes software written by Tim Hudson (email@example.com).
For Open Source License information for this product, see the following link:
For more information, refer to the following related documentation:
Additional information on using VPN connections with Apple iOS devices is available from Apple:
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2004-2012 Cisco Systems, Inc. All rights reserved.