-
Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
-
Introduction to the AnyConnect Secure Mobility Client
-
Configuring the Security Appliance to Deploy AnyConnect
-
Configuring AnyConnect Features
-
Enabling FIPS and Additional Security in the Local Policy
-
Fulfilling Other Administrative Requirements for AnyConnect
-
Managing Authentication
-
Customizing and Localizing the AnyConnect Client and Installer
-
Managing, Monitoring, and Troubleshooting AnyConnect Sessions
-
Administering AnyConnect for Apple iOS Devices
-
Administering AnyConnect for Android Devices
-
Using XML Tags
-
Communicating User Guidelines
-
Client Software License Agreement of Cisco Systems
-
Open Software License Notices
-
Feedback
Table Of Contents
Responding to a TUN/TAP Error Message with Mac OS X 10.5
64-bit Internet Explorer Not Supported
Avoiding the Wireless Hosted Network
Mac OS X 10.6 Sends All DNS Queries in the Clear
Start Before Logon and DART Installation
Responding to a Quarantine State
Using the AnyConnect CLI Commands to Connect (Standalone Mode)
Setting the Secure Connection (Lock) Icon
AnyConnect Hides the Internet Explorer Connections Tab
Communicating User Guidelines
Please consider communicating the following guidelines to your VPN users, or use this section as a reference when responding to user requests for guidance. The following topics are covered:
•
Responding to a TUN/TAP Error Message with Mac OS X 10.5
•
•
•
•
•
•
•
Responding to a TUN/TAP Error Message with Mac OS X 10.5
During the installation of AnyConnect on Mac OS X 10.5 and earlier versions, the following error message sometimes appears:
A version of the TUN virtual network driver is already installed on this system that is incompatible with the AnyConnect client. This is a known issue with OS X version 10.5 and prior, and has been resolved in 10.6. Please uninstall any VPN client, speak with your System Administrator, or reference the AnyConnect Release Notes for assistance in resolving this issue.Mac OS X 10.6 resolves this issue because it provides the version of the TUN/TAP virtual network driver AnyConnect requires.
Versions of Mac OS X earlier than 10.6 do not include a TUN/TAP virtual network driver, so AnyConnect installs its own on these operating systems. However, some software such as Parallels, software that manages data cards, and some VPN applications install their own TUN/TAP driver. The AnyConnect installation software displays the error message above because the driver is already present, but its version is incompatible with AnyConnect.
To install AnyConnect, you must remove the TUN/TAP virtual network driver.
Note
To remove the TUN/TAP virtual network driver, open the console application and enter the following commands:
sudo rm -rf /Library/Extensions/tap.kext
sudo rm -rf /Library/Extensions/tun.kext
sudo rm -rf /Library/StartupItems/tap
sudo rm -rf /Library/StartupItems/tun
sudo rm -rf /System/Library/Extensions/tun.kext
sudo rm -rf /System/Library/Extensions/tap.kext
sudo rm -rf /System/Library/StartupItems/tap
sudo rm -rf /System/Library/StartupItems/tun
After entering these commands, restart Mac OS, then re-install AnyConnect.
64-bit Internet Explorer Not Supported
AnyConnect installation via WebLaunch does not support 64-bit versions of Internet Explorer. If using Windows on x64 (64-bit), use the 32-bit version of Internet Explorer or Firefox to install WebLaunch. At this time, Firefox is available only in a 32-bit version.
Avoiding the Wireless Hosted Network
Using the Windows 7 Wireless Hosted Network feature can make AnyConnect unstable. When using AnyConnect, we do not recommend enabling this feature or running front-end applications that enable it (e.g., Connectify or Virtual Router).
Mac OS X 10.6 Sends All DNS Queries in the Clear
With split-DNS enabled, Mac OS X 10.6 sends all DNS queries in the clear. It should send DNS queries targeting split-DNS domains over the VPN session. Apple plans to resolve this issue in an upcoming update.
Start Before Logon and DART Installation
The Start Before Logon component requires that AnyConnect be installed first.
If SBL or DART is manually uninstalled from an endpoint that then connects, these components will be re-installed. This behavior will only occur if the head-end configuration specifies that these components be installed and the preferences (set on the endpoint) permit upgrades.
Responding to a Quarantine State
An endpoint that does not comply with corporate policies for access shows a network status of Quarantined on the AnyConnect Connection tab.
An ACL assigned to a dynamic access policy applied to a quarantined session typically grants access only to remediation services such as antivirus and antispyware updates.
A session in a quarantined state must have sufficient time to remediate the endpoint. Following this time period, the user must click Reconnect to exit the state and start a new posture assessment.
Using the AnyConnect CLI Commands to Connect (Standalone Mode)
The Cisco AnyConnect VPN Client provides a CLI for users who prefer to issue commands instead of using the graphical user interface. The following sections describe how to launch the CLI command prompt.
For Windows
To launch the CLI command prompt and issue commands on a Windows system, locate the file vpncli.exe in the Windows folder C:\Program Files\Cisco\Cisco AnyConnect VPN Client. Double-click the file vpncli.exe.
For Linux and Mac OS X
To launch the CLI command prompt and issue commands on a Linux or Mac OS X system, locate the file vpn in the folder /opt/cisco/vpn/bin/. Execute the file vpn.
If you run the CLI in interactive mode, it provides its own prompt. You can also use the command line. Table 2-1 shows the CLI commands.
The following examples show the user establishing and terminating a connection from the command line:
Windows
connect 209.165.200.224Establishes a connection to a security appliance with the address 209.165. 200.224. After contacting the requested host, the AnyConnect client displays the group to which the user belongs and asks for the user's username and password. If you have specified that an optional banner be displayed, the user must respond to the banner. The default response is n, which terminates the connection attempt. For example:
VPN> connect 209.165.200.224>>contacting host (209.165.200.224) for login information...>>Please enter your username and password.Group: testgroupUsername: testuserPassword: ********>>notice: Please respond to banner.VPN>STOP! Please read. Scheduled system maintenance will occur tonight from 1:00-2:00 AM for one hour. The system will not be available during that time.accept? [y/n] y>> notice: Authentication succeeded. Checking for updates...>> state: Connecting>> notice: Establishing connection to 209.165.200.224.>> State: Connected>> notice: VPN session established.VPN>statsDisplays statistics for the current connection; for example:
VPN> stats[ Tunnel Information ]Time Connected: 01:17:33Client Address: 192.168.23.45Server Address: 209.165.200.224[ Tunnel Details ]Tunneling Mode: All TrafficProtocol: DTLSProtocol Cipher: RSA_AES_256_SHA1Protocol Compression: None[ Data Transfer ]Bytes (sent/received): 1950410/23861719Packets (sent/received): 18346/28851Bypassed (outbound/inbound): 0/0Discarded (outbound/inbound): 0/0[ Secure Routes ]Network Subnet0.0.0.0 0.0.0.0VPN>disconnectCloses a previously established connection; for example:
VPN>disconnect>> state: Disconnecting>> state: Disconnected>> notice: VPN session ended.VPN>quit or exit
Either command exits the CLI interactive mode; for example:
quitgoodbye>>state: DisconnectedLinux or Mac OS X
/opt/cisco/vpn/bin/vpn connect 1.2.3.4Establishes a connection to an ASA with the address 1.2.3.4.
/opt/cisco/vpn/bin/vpn connect some_asa_aliasEstablishes a connection to an ASA by reading the profile and looking up the alias some_asa_alias in order to find its address.
/opt/cisco/vpn/bin/vpn statsDisplays statistics about the vpn connection.
/opt/cisco/vpn/bin/vpn disconnectDisconnect the vpn session if it exists.
Setting the Secure Connection (Lock) Icon
The Lock icon indicates a secure connection. Windows XP automatically hides this icon among those that have not been recently used. Users can prevent Windows XP from hiding this icon by following this procedure:
Step 1
Step 2
Step 3
AnyConnect Hides the Internet Explorer Connections Tab
Under certain conditions, AnyConnect hides the Connections tab located in Internet Explorer Tools, Internet Options. When exposed, this tab lets the user set proxy information. Hiding this tab prevents the user from intentionally or unintentionally circumventing the tunnel. The tab lockdown is reversed on disconnect, and it is superseded by any administrator-defined policies regarding that tab. The conditions under which this lockdown occurs are either of the following:
•
•
