IPv6 on public and private interfaces.
IPv6 is supported on both private and public transports using AnyConnect 4.05015 and later, on Android 5 and later. With this combination the following is now allowed: IPv4 over an IPv6 tunnel, IPv6 over an IPv6 tunnel.
This is in addtion to the previously allowed tunnel configuratons on earlier AnyConnect and Android releases: IPv4 over an IPv4 tunnel, and IPv6 over an IPv4 tunnel.
Due to Google issue 65572, IPv6 over IPv4 does not work on Android 4.4. You must use Android 5 or later.
Battery saver and AnyConnect:
Android 5.0 introduced battery saver capabilities that block
background network connectivity on your device. When battery saver is enabled,
AnyConnect will transition to the Paused state if it is in the background. To
work around this on Android 5.0, users may turn off battery saver via the
device settings: Settings -> Battery -> Battery saver or from the
In Android 6.0+, when AnyConnect transitions to the Paused
state as a result of battery saver, a popup with the option to whitelist
AnyConnect from battery saver mode will be povided. Whitelisting AnyConnect
will allow the continued use of battery saver without impacting AnyConnect’s
ability to run in the background.
Once AnyConnect is paused due to the batter saver, a manual
reconnect is necessary to bring AnyConnect out of the Paused state, regardless
of your action to turn off battery saver or whitelist AnyConnect.
Split DNS does
not work on any Android 4.4 device, and also does not work on Samsung 5.x
Android devices. For Samsung devices, the only workaround is to connect to a
group with split DNS disabled. On other devices you must upgrade to Android 5.x
to receive the fix for this problem.
This is due to a
known issue that is present in Android 4.4 ( Issue #64819), fixed
in Android 5.x, but not incorporated into Samsung 5.x android devices.
Due to a bug in
Android 5.x (Google Issue #85758,
Cisco Issue # CSCus38925), if the AnyConnect app is closed from the recent apps
screen it may not operate properly. To restore proper operation, terminate
Settings and then restart it.
mobile devices the
Settings > Wi-Fi > Smart network switch allows
switching from WIFI to LTE to maintain a stable Internet connection (when the
Wi-Fi connection is not optimum). This also results in a pause and reconnect of
the active VPN tunnel. Cisco recommends turning this off, since it may result
in continuous reconnects.
On Android 5.0
(Lollipop), which supports multiple active users, the VPN connection tunnels
data for a single user only, not for all users on the device. Background data
flow may be occurring in the clear.
Due to a bug in
Android 4.3.1(Google Issue #62073),
users using the AnyConnect ICS+ package cannot enter non-fully qualified domain
names. For example, users cannot type "internalhost", they must type
firmware updates on HTC One to Android 4.3 (software version: 3.17.502.3) do
not support "HTC AnyConnect." Customers must uninstall "HTC AnyConnect", and
install "AnyConnect ICS+." (HTC AnyConnect will work on the international
edition, with software version of 3.22.1540.1). Check your software version on
your device at
Settings > About > Software information > Software
We are pleased
to report that
Google Issue #70916,
VPN connections will fail to connect if the administrator has set the MTU for
Android tunnels lower than 1280, has been resolved in Android 5.0 (Lollipop).
The following problem information is provided for reference:
Due to a
regression in Android 4.4.3,(
Google Issue #70916,
Cisco CSCup24172), VPN connections will fail to connect if the administrator
has set the MTU for Android tunnels lower than 1280. This issue has been
reported to Google and will require a new version of the OS to correct the
regression introduced in Android 4.4.3. To workaround this problem, ensure that
the head-end administrator has not configured the tunnel MTU to be lower than
encountered, the message displayed to the end user is:
configuration settings could not be applied. A VPN connection will not be
established, and AnyConnect debug logs will report:
E/vpnandroid( 2419): IPCInteractionThread: NCSS: General Exception occured, telling client
E/vpnandroid( 2419): java.lang.IllegalStateException: command '181 interface fwmark rule add tun0'
failed with '400 181 Failed to add fwmark rule (No such process)'
E/vpnandroid( 2419): at android.os.Parcel.readException(Parcel.java:1473)
E/vpnandroid( 2419): at android.os.Parcel.readException(Parcel.java:1419)
E/vpnandroid( 2419): at
E/vpnandroid( 2419): at com.cisco.android.nchs.support.VpnBuilderWrapper.establish
E/vpnandroid( 2419): at com.cisco.android.nchs.support.NCSSIPCServer.callServiceMethod
E/vpnandroid( 2419): at
E/vpnandroid( 2419): at com.cisco.android.nchs.ipc.IPCInteractionThread.run
E/acvpnagent( 2450): Function: ApplyVpnConfiguration
File: NcssHelper.cpp Line: 740 failed to establish VPN
E/acvpnagent( 2450): Function: PluginResult AndroidSNAKSystem::configDeviceForICS()
File: AndroidSNAKSystem.cpp Line: 665 failed to apply vpn configuration
E/acvpnagent( 2450): Function: virtual PluginResult AndroidSNAKSystem::ApplyConfiguration()
File: AndroidSNAKSystem.cpp Line: 543 Failed to Configure System for VPN.
We are pleased to report
that Android 4.4 (KitKat) bug Google Issue #61948 (AnyConnect users will
experience High Packet Loss over their VPN connection /users will experience
timeouts) has been resolved in Google's release of Android 4.4.1 which Google
has begun distributing to some devices via Software Update. The following
problem information is provided for reference:
Due to a bug in
Android 4.4 (Issue #61948, also see
Cisco Support Update),
AnyConnect users will experience High Packet Loss over their VPN connection.
This has been seen on the Google Nexus 5 running Android 4.4 with AnyConnect
ICS+. Users will experience timeouts when attempting to access certain network
resources. Also, in the ASA logs, a syslog message will appear with text
similar to "Transmitting large packet 1420 (threshold 1405)."
produces a fix for Android 4.4, VPN administrators may temporarily reduce the
maximum segment size for TCP connections on the ASA by configuring the
following sysopt connection tcpmss <mss size>. The default for this
parameter is 1380 bytes. Reduce this value by the difference between the values
seen in the ASA logs. In the above example, the difference is 15 bytes; the
value should thus be no more than 1365. Reducing this value will negatively
impact performance for connected VPN users where large packets are transmitted.
Android may have connectivity issues when connecting to a mobile network using
the IPv6 transition mechanism known as 464xlat. Known affected devices include
the Samsung Galaxy Note III LTE connecting to the T-Mobile US network. This
device defaults to an IPv6 only mobile network connection. Attempting a
connection may result in a loss of mobile connectivity until the device is
To prevent this
problem, use the AnyConnect ICS+ app, and change your device settings to obtain
IPv4 network connectivity or connect using a Wi-Fi network. For the Samsung
Galaxy Note III LTE connecting to the T-Mobile US network, follow the
instructions provided by
T-Mobile to set the Access Point Name (APN) on your device, making sure
APN Protocol is set to IPv4.
The AnyConnect ICS+ package
may have issues when a private IP address range within the VPN overlaps with
the range of the outside interface of the client device. When this route
overlap occurs, the user may be able to successfully connect to the VPN but
then be unable to actually access anything. This issue has been seen on
cellular networks which use NAT (Network Address Translation) and assign
addresses within the 10.0.0.0 - 10.255.255.255 range, and is due to AnyConnect
having limited control of routes in the Android VPN framework. The vendor
specific Android packages have full routing control and may work better in such
An Asus tablet running
Android 4.0 (ICS) may be missing the tun driver. This causes AVF AnyConnect to
Android security rules prevent the device from sending and receiving multimedia messaging service (MMS) messages while a VPN connection is up. Most devices and service providers display a notification if you try to send an MMS message while the VPN connection is up. Android permits sending and receiving of messages when the VPN is not connected.
Due to Google Isssue 41037 , when pasting text from the clipboard, a space is inserted in front of the text. In AnyConnect, when copying text such as a one time password, the user has to delete this erroneous white space.