Apple iOS Known Issues, Limitations, Common Problems, and Solutions with Cisco AnyConnect Secure Mobility Client
PDF(11.7 KB) View with Adobe Reader on a variety of devices
ePub(93.6 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(80.1 KB) View on Kindle device or Kindle app on multiple devices
Updated:December 12, 2018
Apple iOS Known Issues, Limitations, Common Problems, and Solutions with Cisco AnyConnect Secure Mobility
The Cisco AnyConnect Secure Mobility Client, also known as the Cisco AnyConnect VPN Client, is a software
application for connecting to a Virtual Private Network (VPN) that works on various operating systems and hardware
configurations. This software application makes it possible for remote resources of another network become
accessible as if the user is directly connected to the network, but in a secure way. Cisco AnyConnect Secure
Mobility Client provides an innovative way to protect mobile users on computer-based or smart-phone platforms,
providing a more seamless, always-protected experience for end users, and comprehensive policy enforcement for an
When installing the Cisco AnyConnect Secure Mobility Client on Apple iOS devices, common errors may occur and
troubleshooting may be needed for a successful setup. To know more about basic troubleshooting on common
installation errors, click here.
Apple iOS Known Issues, Limitations, Common Problems, and Solutions
Note: The following iOS issues have already been reported to Apple and may be resolved in a future iOS
Apple iOS Known Issues
Network Roaming applies to releases earlier than iOS 8 only. Release iOS 8 and later always operate as if
Network Roaming is ON, attempting to re-establish a connection until it succeeds.
Note: For a full description of Network Roaming, click here.
Apple ID: 22784308 issue — On demand option never connects.
A Datagram Transport Layer Security (DTLS)packet received while the device is asleep does not awaken it.
Transport Layer Security (TLS)packets, however, awaken the device if notifications or Facetime is enabled.
AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received
the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.
Voice applications running in the background on an iPod Touch cannot receive packets over VPN. This
functionality works as expected on iPhone devices.
If a VPN configuration contains a large number of routes or split-DNS rules, the Apple device cannot establish
VPN connection. This bug occurs, for example, if, upon connection, an Adaptive Security Appliance (ASA)
configuration pushes a VPN split-include list that has 70 or more rules that direct traffic to individual
To prevent this bug, apply a tunnel-all configuration or reduce the number of rules.
AnyConnect may become slow or crash when there is a large number of VPN connections configured on the mobile
Apple iOS Permits All Local LAN Traffic with Tunnel-all
Apple iOS permits traffic that is essential for the core operation of the device, regardless of whether a
tunnel-all policy is in force. Examples of traffic that Apple iOS sends in the clear regardless of the tunnel
All Local Area Network (LAN) traffic
Scoped routes for preexisting connections (for example, a video being streamed before VPN comes up)
Core Apple services (for example, Visual Voice mail traffic)
Guidelines and Limitations for AnyConnect on Apple iOS
This release of AnyConnect for Apple iOS supports only the features that are strictly related to remote VPN
AnyConnect supports the following types of VPN configurations:
AnyConnect VPN client profile imported
iPhone Configuration Utility generated. For details about the iPhone Configuration Utility, check Apple Support.
The Apple iOS device supports only one AnyConnect VPN client profile. The contents of the generated
configuration always match the most recent profile. For example, you connect to vpn.example1.com and then to
vpn.example2.com. The AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported
This release supports the tunnel keepalive feature; however, it reduces battery life of the device. Increasing
the update interval value mitigates this issue.
Apple iOS Connect On-Demand Considerations:
VPN sessions that are automatically connected as a result of iOS On-Demand logic will be disconnected when
device sleeps. After the device wakes up, On-Demand logic will reconnect the VPN session when it is
AnyConnect collects device information when the UI is launched and a VPN connection is initiated.
there are circumstances in which AnyConnect can misreport mobile posture information if the user relies on
Connect On-Demand feature to make a connection initially, or after device information, such has the OS
If you are running AnyConnect 4.0.05032 or later, in conjunction with Apple iOS 9.3 or later, the
limitation does not apply to your device: To ensure proper establishment of Connect On-Demand VPN tunnels
updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not
upon the next iOS system attempt to establish a VPN tunnel, the error message saying, “The VPN Connection
an application to start up” will display.
Common Apple iOS Problems
1. I cannot edit or delete some connection profiles.
Solution: Your system administrator set a policy that affects host entries imported into your AnyConnect
profile. To delete these profiles, tap Diagnostics > Profile > Clear Profile
2. Errors while trying to save or edit configuration.
Solution: A known issue with the operating system is the cause. Apple is working to resolve it. As a workaround,
try restarting the application.
3. Connection time-outs and unresolved hosts.
Solution: Internet connectivity issues, a low cell signal level, and network congestion often cause time-outs and
unresolved host errors. If a LAN is within reach, try using your device Settings application to establish a
connection with the LAN first. Retrying multiple times in response to time-outs often results in success.
4. VPN connection is not re-established when the device wakes from sleep.
Solution: Enable Network Roaming in the VPN connection entry. If enabling network roaming does not resolve the
issue, check your EDGE (2G), 1xRTT (2G), 3G, or Wi-Fi connection.
Note: This issue may be expected behavior depending on how your organization has configured the VPN.
5. Certificate-based authentication does not work.
Solution: Check the validity and expiration of the certificate if you succeeded with it before. Check with your
system administrator to make sure you are using the appropriate certificate for the connection.
6. The Apple iOS Connect On Demand feature is not working or connecting unexpectedly.
Solution: Ensure the connection does not have a conflicting rule in the Never Connect list. If a Connect If
rule exists for the connection, try replacing it with an Always Connect rule.
7. AnyConnect failed to establish a connection but no error message was displayed.
Solution: Messages display only when the AnyConnect application is open.
8. A profile called Cisco AnyConnect exists that cannot be deleted.
Solution: Try restarting the application.
9. When I remove the AnyConnect application, VPN configurations still appear in the Apple iOS VPN
Solution: To delete these profiles, reinstall AnyConnect and then tap Diagnostics>
>Clear Profile Data.