AnyConnect for Google Chrome OS Release Notes

AnyConnect for Google Chrome OS

The AnyConnect Secure Mobility Client provides remote users with secure VPN connections to the Cisco ASA 5500 Series. It provides seamless and secure remote access to enterprise networks allowing installed applications to communicate as though connected directly to the enterprise network. AnyConnect supports connections to IPv4 resources over an IPv4 or IPv6 tunnel.

This document, written for system administrators of the AnyConnect Secure Mobility Client and the Adaptive Security Appliance (ASA) 5500, supplements the Cisco AnyConnect Mobile Platforms Administrator Guide, Release 4.0 and provides release specific information for AnyConnect running on Google Chrome devices.

The AnyConnect app is available on the Chrome web store only. Cisco does not distribute AnyConnect mobile apps. Nor can you deploy the mobile app from the ASA. You can deploy other releases of AnyConnect for desktop devices from the ASA while supporting this mobile release.

AnyConnect Mobile Support Policy

Cisco supports the AnyConnect version that is currently available in the app store; however, fixes and enhancements are provided only in the most recently released version.

AnyConnect Licensing

To connect to the ASA headend an AnyConnect 4.x Plus or Apex license is required, trial licenses are available, see the Cisco AnyConnect Ordering Guide.

For the latest end-user license agreement, see Cisco End User License Agreement, AnyConnect Secure Mobility Client, Release 4.x.

For our open source licensing acknowledgments, see Open Source Software Used In Cisco AnyConnect Secure Mobility Client Release 4.x for Mobile

Google Chrome OS Supported Devices

Cisco AnyConnect on Google Chromebook requires Chrome OS 43 or later. Stability and feature enhancements are available in Chrome OS 45 (currently available on the Google Chrome Dev channel).

AnyConnect on Google Chromebook cannot be used from a standalone Chrome browser on another platform.

Many new Chromebooks are capable of supporting Android applications. While the Cisco AnyConnect on Android application can run on a Chromebook with this support, the OS only tunnels Android applications when using Android AnyConnect. At this time, we recommend only using the Chrome version of AnyConnect on Chromebooks. It is our expectation that this will change in the future when the Android application becomes the primary version for these Chromebooks, but this is not the case today.

See Google Chrome OS User Guide for Cisco AnyConnect Secure Mobility Client, Release 4.0.x for installation and upgrade procedures.

New Features in AnyConnect 4.0.10156 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these . Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10152 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these . Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10151 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices includes support for Security Assertion Markup Language (SAML) 2.0 Single Sign-on (SSO).

Use of SAML requires ASA version 9.7.1 or later, this is the earliest release SAML is fully supported on the ASA for the AnyConnect Client. An AnyConnect Apex license is required for the SAML feature.

When SAML authentication is used, it applies to the AnyConnect session only. It does not apply to web sites, browser-initiated SAML logins, or installed applications.

Refer to the SSO Using SAML 2.0 information in the appropriate release, 9.7 or later, and type, GUI or CLI, of the Cisco ASA 5500-X Series Next-Generation Firewalls, Configuration Guides for additional configuration details.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Cisco recommends upgrading to this release. Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10142 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10142 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10141 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10141 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10139 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices addresses the September OpenSSL vulnerabilities. It is also a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10139 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10138 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10138 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10125 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10125 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10125 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10125 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10124 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10124 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10115 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices addresses the most recent OpenSSL vulnerabilities.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Cisco recommends upgrading to this release. Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10113 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing VPN auto reconnect. This fix is listed in Resolved Issues in AnyConnect 4.0.10113 for Google Chrome OS. Cisco recommends upgrading to this release.

With this release, AnyConnect on Chrome OS 51 or later, can auto reconnect the VPN session when the network interface goes down and up. Prior to Chrome 51 and this AC release, if you lost Wi-Fi or put your device to sleep, AC would not be able to reconnect on its own.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10109 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10109 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10104 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10104 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10103 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10103 for Google Chrome OS. Cisco recommends upgrading to this release.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

New Features in AnyConnect 4.0.10099 for Google Chrome OS

This release of Cisco AnyConnect Secure Mobility Client on Chrome devices includes the following functionality:

  • VPN connections using TLS/DTLS and IPsec IKEv2. IPsec IKEv2 connections support EAP-AnyConnect method only at this time.

  • Authentication via username/password, certificates, and challenge response authentication.

See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.

Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.

Chrome AnyConnect Feature Matrix

The following table indicates the remote access features that are supported by Cisco AnyConnect on Chrome:

Category: Feature Chrome

Deployment and Configuration:

Install or upgrade from Application Store Yes
Cisco VPN Profile support (manual import) Yes
Cisco VPN Profile support (import on connect) Yes
MDM configured connection entries Yes
User-configured connection entries Yes

Tunneling:

TLS Yes
Datagram TLS (DTLS) Yes
IPsec IKEv2 NAT-T Yes
IKEv2 - raw ESP No
Suite B (IPsec only) No
TLS compression No
Dead peer detection Yes
Tunnel keepalive Yes
Multiple active network interfaces No
Per App Tunneling (requires Plus or Apex license and ASA 9.4.2 or later) No
Full tunnel (OS may make exceptions on some traffic, such as traffic to the app store) Yes
Split tunnel (split include) Yes
Local LAN (split exclude) Yes
Split-DNS No
Auto Reconnect / Network Roaming Yes, requires Chrome OS 51 or later and Cisco AnyConnect 4.0.0113 or later.
VPN on-demand (triggered by destination) No
VPN on-demand (triggered by application) No
Rekey Yes
IPv4 public transport Yes
IPv6 public transport No
IPv4 over IPv4 tunnel Yes
IPv6 over IPv4 tunnel No
Default domain Yes
DNS server configuration Yes
Private-side proxy support Yes, using ASA configured proxy PAC URL
Proxy Exceptions No
Public-side proxy support No
Pre-login banner Yes
Post-login banner Yes
DSCP Preservation No

Connecting and Disconnecting:

VPN load balancing Yes
Backup server list Yes
Optimal Gateway Selection No

Authentication:

SAML 2.0 Yes
Client Certificate Authentication Yes
Online Certificate Status Protocol (OCSP) No
Manual user certificate management Yes, using Chrome device capabilities
Manual server certificate management Yes
SCEP legacy enrollment Please confirm for your platform. No
SCEP proxy enrollment Please confirm for your platform. No
Automatic certificate selection No
Manual certificate selection Yes
Smart card support No
Username and password Yes
Tokens/challenge Yes
Double authentication Yes
Group URL (specified in server address) Yes
Group selection (drop-down selection) Yes
Credential prefill from user certificate Yes
Save password No

User interface:

Standalone GUI Yes, limited functions.
Native OS GUI Yes, limited functions.
API / URI Handler (see below) No
UI customization No
UI localization No
User preferences Yes
Home screen widgets for one-click VPN access No
AnyConnect specific status icon No

Mobile Posture: (AnyConnect Identity Extensions, ACIDex)

Serial number or unique ID check No
OS and AnyConnect version shared with headend Yes

URI Handling:

Add connection entry No
Connect to a VPN No
Credential pre-fill on connect No
Disconnect VPN No
Import certificate No
Import localization data No
Import XML client profile No
External (user) control of URI commands No

Reporting and Troubleshooting:

Statistics Yes
Logging / Diagnostic Information (DART) Yes

Certifications:

FIPS 140-2 Level 1 No

Adaptive Security Appliance Requirements

A minimum release of the ASA is required for the following features:


Note

Refer to the feature matrix for your platform to verify the availability of these features in the current AnyConnect mobile release.


  • You must upgrade to ASA 9.3.2 or later to use TLS 1.2.

  • You must upgrade to ASA 9.0 to use the following mobile features:

    • IPsec IKEv2 VPN

    • Suite B cryptography

    • SCEP Proxy

    • Mobile Posture

  • ASA Release 8.0(3) and Adaptive Security Device Manager (ASDM) 6.1(3) are the minimum releases that support AnyConnect for mobile devices.

Guidelines and Limitations for AnyConnect on Chrome OS

  • When the Chromebook device is managed (enrolled in an Enterprise Chrome Management service), then AnyConnect cannot access client certificates: client certificate authentication does not work.

  • There is limited VPN performance on low-end Chromebooks (chromium issue #514341).

  • Auto reconnect, reconnecting the VPN session when the network interface goes down and up, is supported when using AnyConnect release 4.0.10113 or later with Chrome OS 51 or later. Prior to Chrome 51 and this AC release, if you lost Wi-Fi, or put your device to sleep, AnyConnect would not be able to reconnect on its own.

  • Unless you are using Chrome OS 45 or later, all server certificates, even fully trusted and valid ones, received from the secure gateway are seen as untrusted.

  • After installing or upgrading AnyConnect on Chrome OS, wait until initializing is complete to configure AnyConnect. "Initializing, please wait..." is displayed in the AnyConnect app. This process may take a few minutes.

Open and Resolved AnyConnect Issues

The Cisco Bug Search Tool, https://tools.cisco.com/bugsearch/, has detailed information about the following open and resolved issues in this release. A Cisco account is required to access the Bug Search Tool. If you do not have one, register at https://tools.cisco.com/RPF/register/register.do.

Open Issues in AnyConnect for Google Chrome OS

Identifier Headline
CSCuv51315 ChromeOS: framework VPN profiles deleted after app is disabled
CSCux24767 ChromeOS: Failed to establish connection if no DNS server configured.
CSCux24771 ChromeOS: Connection fails due to invalid configuration format.

Resolved Issues in AnyConnect 4.0.10159 for Google Chrome OS

Identifier Headline

CSCvg65089

Multiple Vulnerabilities in openSSL

CSCvi82730

[chrome] Better integration with ChromeOS Enterprise Certificate Store

Other Issues and Workarounds

Google Issue ID

Issue Description

Workaround

839573

ChromeOS crashes if user attempts to select a client certificate (for use with AnyConnect) that was imported into the Chrome OS certificate manager using the "Import" option.

(Reported on ChromeOS 65.0.3325)

Re-import those certificates using the "Import and Bind" option.

825641

"Prefer this network" Wi-fi setting breaks VPN connectivity.

(Reported on ChromeOS 65.0.3325)

Disable the "Prefer this network" option.

Resolved Issues in AnyConnect 4.0.10156 for Google Chrome OS

Identifier Headline

CSCvg38654

Chrome OS - Extra fields in app manifest prevents public session whitelist

Resolved Issues in AnyConnect 4.0.10152 for Google Chrome OS

Identifier Headline

CSCve31888

ChromeOS - Race condition with managed profile import and initial connection

Resolved Issues in AnyConnect 4.0.10142 for Google Chrome OS

Identifier Headline
CSCvc74417 ChromeOS: Acer R13 device-type not detected, blank value causes DAP failure with 9.1.7.x (ASA Bug)

Resolved Issues in AnyConnect 4.0.10141 for Google Chrome OS

Identifier Headline
CSCvc28371 Chrome OS - 10139 fails to connect to ASA with DAP rule set up
CSCvc30202 Chrome OS - Re-auth option incorrectly offered to user after head-end DAP reject (which fails)
CSCvc30400 Chrome OS - 10140 User can only auth once / open AC UI to show notifications if not already open

Resolved Issues in AnyConnect 4.0.10139 for Google Chrome OS

Identifier Headline
CSCvb48664 Evaluation of anyconnect for Openssl September 2016
CSCvc18113 Chrome OS - 10138 fails with 0.0.0.0/32 Local LAN access auto detect in exclude ACL

Resolved Issues in AnyConnect 4.0.10138 for Google Chrome OS

Identifier Headline
CSCvb57966 Chrome OS - Profile download/connect failing in VPN Load Balancing environment 4.0(1025)

Resolved Issues in AnyConnect 4.0.10125 for Google Chrome OS

Identifier Headline
CSCvb32695 Chrome OS - Incompatible with DNS LB configurations

Resolved Issues in AnyConnect 4.0.10124 for Google Chrome OS

Identifier Headline
CSCuz96675 Chrome OS - Intermittent connection failures
CSCva98552 ChromeOS: Incorrect system VPN status after admin disconnect/timeout/max

Resolved Issues in AnyConnect 4.0.10113 for Google Chrome OS

Identifier Headline
CSCuv51328 ChromeOS: Reconnect does not work

Resolved Issues in AnyConnect 4.0.10109 for Google Chrome OS

Identifier Headline
CSCuy54600 Evaluation of anyconnect for OpenSSL March 2016
CSCuy74427 ChromeOS: Deflate compression does not work.
CSCuy79556 ChromeOS: AnyConnect stuck in reconnect after PMTU correction.
CSCuy79562 ChromeOS: Support Private Proxy PAC URL Config

Resolved Issues in AnyConnect 4.0.10104 for Google Chrome OS

Identifier Headline
CSCuy32041 ChromeOS: Connect fails if AllowLocalProxy preference is disabled
CSCuy32064 ChromeOS: Startup Race Condition

Resolved Issues in AnyConnect 4.0.10103 for Google Chrome OS

Identifier Headline
CSCux41420 Evaluation of anyconnect for OpenSSL December 2015 vulnerabilities
CSCux59994 ChromeOS: Server could not parse error with ASA 9.3.3