AnyConnect for Google Chrome OS Release Notes
AnyConnect for Google Chrome OS
The AnyConnect Secure Mobility Client provides remote users with secure VPN connections to the Cisco ASA 5500 Series. It provides seamless and secure remote access to enterprise networks allowing installed applications to communicate as though connected directly to the enterprise network. AnyConnect supports connections to IPv4 resources over an IPv4 or IPv6 tunnel.
This document, written for system administrators of the AnyConnect Secure Mobility Client and the Adaptive Security Appliance (ASA) 5500, provides release specific information for AnyConnect running on Google Chrome devices.
The AnyConnect app is available on the Chrome web store only. Cisco does not distribute AnyConnect mobile apps. Nor can you deploy the mobile app from the ASA. You can deploy other releases of AnyConnect for desktop devices from the ASA while supporting this mobile release.
AnyConnect Mobile Support Policy
Cisco supports the AnyConnect version that is currently available in the app store; however, fixes and enhancements are provided only in the most recently released version.
AnyConnect Licensing
To connect to the ASA headend, an AnyConnect 4.x Plus or Apex license is required. Trial licenses are available: Cisco AnyConnect Ordering Guide.
For the latest end-user license agreement, see Cisco End User License Agreement, AnyConnect Secure Mobility Client, Release 4.x.
For our open source licensing acknowledgments, see Open Source Software Used In Cisco AnyConnect Secure Mobility Client Release 4.x for Mobile
Google Chrome OS Supported Devices
Cisco AnyConnect on Google Chromebook requires Chrome OS 43 or later. Stability and feature enhancements are available in Chrome OS 45.
AnyConnect on Google Chromebook cannot be used from a standalone Chrome browser on another platform.
For all current Chromebooks, AnyConnect for Android is officially supported and strongly recommended for the optimal AnyConnect experience on ChromeOS. The native ChromeOS client is intended only for legacy Chromebooks incapable of running Android applications.
New Features in AnyConnect 4.0.10156 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these . Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10152 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these . Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10151 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices includes support for Security Assertion Markup Language (SAML) 2.0 Single Sign-on (SSO).
Use of SAML requires ASA version 9.7.1 or later, this is the earliest release SAML is fully supported on the ASA for the AnyConnect Client. An AnyConnect Apex license is required for the SAML feature.
When SAML authentication is used, it applies to the AnyConnect session only. It does not apply to web sites, browser-initiated SAML logins, or installed applications.
Refer to the SSO Using SAML 2.0 information in the appropriate release, 9.7 or later, and type, GUI or CLI, of the Cisco ASA 5500-X Series Next-Generation Firewalls, Configuration Guides for additional configuration details.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Cisco recommends upgrading to this release. Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10142 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10142 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10141 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10141 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10139 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices addresses the September OpenSSL vulnerabilities. It is also a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10139 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10138 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10138 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10125 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10125 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10125 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10125 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10124 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10124 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10115 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices addresses the most recent OpenSSL vulnerabilities.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Cisco recommends upgrading to this release. Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10113 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing VPN auto reconnect. This fix is listed in Resolved Issues in AnyConnect 4.0.10113 for Google Chrome OS. Cisco recommends upgrading to this release.
With this release, AnyConnect on Chrome OS 51 or later, can auto reconnect the VPN session when the network interface goes down and up. Prior to Chrome 51 and this AC release, if you lost Wi-Fi or put your device to sleep, AC would not be able to reconnect on its own.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10109 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10109 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10104 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10104 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10103 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices is a maintenance release addressing these Resolved Issues in AnyConnect 4.0.10103 for Google Chrome OS. Cisco recommends upgrading to this release.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
New Features in AnyConnect 4.0.10099 for Google Chrome OS
This release of Cisco AnyConnect Secure Mobility Client on Chrome devices includes the following functionality:
-
VPN connections using TLS/DTLS and IPsec IKEv2. IPsec IKEv2 connections support EAP-AnyConnect method only at this time.
-
Authentication via username/password, certificates, and challenge response authentication.
See the Chrome AnyConnect Feature Matrix for a detailed list of AnyConnect Chrome features.
Please review the the information on the app page and the Guidelines and Limitations for AnyConnect on Chrome OS to be aware of current operational considerations.
Chrome AnyConnect Feature Matrix
The following table indicates the remote access features that are supported by Cisco AnyConnect on Chrome:
Category: Feature | Chrome |
---|---|
Deployment and Configuration: |
|
Install or upgrade from Application Store | Yes |
Cisco VPN Profile support (manual import) | Yes |
Cisco VPN Profile support (import on connect) | Yes |
MDM configured connection entries | Yes |
User-configured connection entries | Yes |
Tunneling: |
|
TLS | Yes |
Datagram TLS (DTLS) | Yes |
IPsec IKEv2 NAT-T | Yes |
IKEv2 - raw ESP | No |
Suite B (IPsec only) | No |
TLS compression | No |
Dead peer detection | Yes |
Tunnel keepalive | Yes |
Multiple active network interfaces | No |
Per App Tunneling (requires Plus or Apex license and ASA 9.4.2 or later) | No |
Full tunnel (OS may make exceptions on some traffic, such as traffic to the app store) | Yes |
Split tunnel (split include) | Yes |
Local LAN (split exclude) | Yes |
Split-DNS | No |
Auto Reconnect / Network Roaming | Yes, requires Chrome OS 51 or later and Cisco AnyConnect 4.0.0113 or later. |
VPN on-demand (triggered by destination) | No |
VPN on-demand (triggered by application) | No |
Rekey | Yes |
IPv4 public transport | Yes |
IPv6 public transport | No |
IPv4 over IPv4 tunnel | Yes |
IPv6 over IPv4 tunnel | No |
Default domain | Yes |
DNS server configuration | Yes |
Private-side proxy support | Yes, using ASA configured proxy PAC URL |
Proxy Exceptions | No |
Public-side proxy support | No |
Pre-login banner | Yes |
Post-login banner | Yes |
DSCP Preservation | No |
Connecting and Disconnecting: |
|
VPN load balancing | Yes |
Backup server list | Yes |
Optimal Gateway Selection | No |
Authentication: |
|
SAML 2.0 | Yes |
Client Certificate Authentication | Yes |
Online Certificate Status Protocol (OCSP) | No |
Manual user certificate management | Yes, using Chrome device capabilities |
Manual server certificate management | Yes |
SCEP legacy enrollment Please confirm for your platform. | No |
SCEP proxy enrollment Please confirm for your platform. | No |
Automatic certificate selection | No |
Manual certificate selection | Yes |
Smart card support | No |
Username and password | Yes |
Tokens/challenge | Yes |
Double authentication | Yes |
Group URL (specified in server address) | Yes |
Group selection (drop-down selection) | Yes |
Credential prefill from user certificate | Yes |
Save password | No |
User interface: |
|
Standalone GUI | Yes, limited functions. |
Native OS GUI | Yes, limited functions. |
API / URI Handler (see below) | No |
UI customization | No |
UI localization | No |
User preferences | Yes |
Home screen widgets for one-click VPN access | No |
AnyConnect specific status icon | No |
Mobile Posture: (AnyConnect Identity Extensions, ACIDex) |
|
Serial number or unique ID check | No |
OS and AnyConnect version shared with headend | Yes |
URI Handling: |
|
Add connection entry | No |
Connect to a VPN | No |
Credential pre-fill on connect | No |
Disconnect VPN | No |
Import certificate | No |
Import localization data | No |
Import XML client profile | No |
External (user) control of URI commands | No |
Reporting and Troubleshooting: |
|
Statistics | Yes |
Logging / Diagnostic Information (DART) | Yes |
Certifications: |
|
FIPS 140-2 Level 1 | No |
Adaptive Security Appliance Requirements
A minimum release of the ASA is required for the following features:
Note |
Refer to the feature matrix for your platform to verify the availability of these features in the current AnyConnect mobile release. |
-
You must upgrade to ASA 9.7.1.24, 9.8.2.28, 9.9.2.1 or later to use the SAML authentication feature. Make sure that both the client and server versions are up-to-date.
-
You must upgrade to ASA 9.3.2 or later to use TLS 1.2.
-
You must upgrade to ASA 9.0 to use the following mobile features:
-
IPsec IKEv2 VPN
-
Suite B cryptography
-
SCEP Proxy
-
Mobile Posture
-
-
ASA Release 8.0(3) and Adaptive Security Device Manager (ASDM) 6.1(3) are the minimum releases that support AnyConnect for mobile devices.
Guidelines and Limitations for AnyConnect on Chrome OS
-
We are not planning any future Chrome OS releases. Because all current ChromeBooks support Android Apps, we advise you to use the AnyConnect Android App instead.
-
When the Chromebook device is managed (enrolled in an Enterprise Chrome Management service), then AnyConnect cannot access client certificates: client certificate authentication does not work.
-
There is limited VPN performance on low-end Chromebooks (chromium issue #514341).
-
Auto reconnect, reconnecting the VPN session when the network interface goes down and up, is supported when using AnyConnect release 4.0.10113 or later with Chrome OS 51 or later. Prior to Chrome 51 and this AC release, if you lost Wi-Fi, or put your device to sleep, AnyConnect would not be able to reconnect on its own.
-
Unless you are using Chrome OS 45 or later, all server certificates, even fully trusted and valid ones, received from the secure gateway are seen as untrusted.
-
After installing or upgrading AnyConnect on Chrome OS, wait until initializing is complete to configure AnyConnect. "Initializing, please wait..." is displayed in the AnyConnect app. This process may take a few minutes.
Open and Resolved AnyConnect Issues
The Cisco Bug Search Tool, https://tools.cisco.com/bugsearch/, has detailed information about the following open and resolved issues in this release. A Cisco account is required to access the Bug Search Tool. If you do not have one, register at https://tools.cisco.com/RPF/register/register.do.
Note that some cross platform bugs defined in the desktop release notes (https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/release/notes/release-notes-anyconnect-4-10.html) may apply to the mobile releases. Once a bug has been reported as fixed, it becomes available on all operating system platforms (including mobile operating systems) with a higher AnyConnect release number. Those bugs with vpn, core, nvm, and similar components that apply across platform will not be duplicated in the subsequent mobile releases. For example, a vpn component bug resolved in desktop release 4.9.00086 will not be listed again in iOS release 4.9.00512 because the iOS version is greater than the release version where the bug was reported as fixed.
Open Issues in AnyConnect for Google Chrome OS
Identifier | Headline |
---|---|
CSCuv51315 | ChromeOS: framework VPN profiles deleted after app is disabled |
CSCux24767 | ChromeOS: Failed to establish connection if no DNS server configured. |
CSCux24771 | ChromeOS: Connection fails due to invalid configuration format. |
Resolved Issues in AnyConnect 4.0.10159 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvg65089 |
Multiple Vulnerabilities in openSSL |
CSCvi82730 |
[chrome] Better integration with ChromeOS Enterprise Certificate Store |
Other Issues and Workarounds
Google Issue ID |
Issue Description |
Workaround |
---|---|---|
839573 |
ChromeOS crashes if user attempts to select a client certificate (for use with AnyConnect) that was imported into the Chrome OS certificate manager using the "Import" option. (Reported on ChromeOS 65.0.3325) |
Re-import those certificates using the "Import and Bind" option. |
825641 |
"Prefer this network" Wi-fi setting breaks VPN connectivity. (Reported on ChromeOS 65.0.3325) |
Disable the "Prefer this network" option. |
Resolved Issues in AnyConnect 4.0.10156 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvg38654 |
Chrome OS - Extra fields in app manifest prevents public session whitelist |
Resolved Issues in AnyConnect 4.0.10152 for Google Chrome OS
Identifier | Headline |
---|---|
CSCve31888 |
ChromeOS - Race condition with managed profile import and initial connection |
Resolved Issues in AnyConnect 4.0.10142 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvc74417 | ChromeOS: Acer R13 device-type not detected, blank value causes DAP failure with 9.1.7.x (ASA Bug) |
Resolved Issues in AnyConnect 4.0.10141 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvc28371 | Chrome OS - 10139 fails to connect to ASA with DAP rule set up |
CSCvc30202 | Chrome OS - Re-auth option incorrectly offered to user after head-end DAP reject (which fails) |
CSCvc30400 | Chrome OS - 10140 User can only auth once / open AC UI to show notifications if not already open |
Resolved Issues in AnyConnect 4.0.10139 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvb48664 | Evaluation of anyconnect for Openssl September 2016 |
CSCvc18113 | Chrome OS - 10138 fails with 0.0.0.0/32 Local LAN access auto detect in exclude ACL |
Resolved Issues in AnyConnect 4.0.10138 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvb57966 | Chrome OS - Profile download/connect failing in VPN Load Balancing environment 4.0(1025) |
Resolved Issues in AnyConnect 4.0.10125 for Google Chrome OS
Identifier | Headline |
---|---|
CSCvb32695 | Chrome OS - Incompatible with DNS LB configurations |
Resolved Issues in AnyConnect 4.0.10124 for Google Chrome OS
Identifier | Headline |
---|---|
CSCuz96675 | Chrome OS - Intermittent connection failures |
CSCva98552 | ChromeOS: Incorrect system VPN status after admin disconnect/timeout/max |
Resolved Issues in AnyConnect 4.0.10113 for Google Chrome OS
Identifier | Headline |
---|---|
CSCuv51328 | ChromeOS: Reconnect does not work |
Resolved Issues in AnyConnect 4.0.10109 for Google Chrome OS
Identifier | Headline |
---|---|
CSCuy54600 | Evaluation of anyconnect for OpenSSL March 2016 |
CSCuy74427 | ChromeOS: Deflate compression does not work. |
CSCuy79556 | ChromeOS: AnyConnect stuck in reconnect after PMTU correction. |
CSCuy79562 | ChromeOS: Support Private Proxy PAC URL Config |
Resolved Issues in AnyConnect 4.0.10104 for Google Chrome OS
Identifier | Headline |
---|---|
CSCuy32041 | ChromeOS: Connect fails if AllowLocalProxy preference is disabled |
CSCuy32064 | ChromeOS: Startup Race Condition |
Resolved Issues in AnyConnect 4.0.10103 for Google Chrome OS
Identifier | Headline |
---|---|
CSCux41420 | Evaluation of anyconnect for OpenSSL December 2015 vulnerabilities |
CSCux59994 | ChromeOS: Server could not parse error with ASA 9.3.3 |
AnyConnect Mobile Related Documentation
For more information refer to the following documentation: