Contents
- AnyConnect for Windows Phone Release Notes
- AnyConnect for Windows 10 Mobile and Windows Phone 8.1 Devices
- AnyConnect Mobile Related Documentation
- Windows Phone Supported Devices
- New Features in AnyConnect 4.1.03024 for Windows 10 Mobile Devices
- New Features in AnyConnect 4.1.03017 for Windows 10 Mobile Devices
- Windows 10 Mobile and Phone 8.1 AnyConnect Feature Matrix
- Adaptive Security Appliance Requirements
- Known Issues and Limitations
- Guidelines and Limitations for AnyConnect on Windows 10 and Windows Phone 8.1
- Known Compatibility Issues with AnyConnect on Windows 10 Mobile & Phone 8.1
- Open and Resolved AnyConnect Issues
- Open Issues in AnyConnect 4.1.03024 for Windows 10 Mobile
- Resolved Issues in AnyConnect 4.1.03024 for Windows Phone
First Published:
Last Updated:
Text Part Number:
AnyConnect for Windows Phone Release Notes
AnyConnect for Windows 10 Mobile and Windows Phone 8.1 Devices
The AnyConnect Secure Mobility Client provides remote users with secure VPN connections to the Cisco ASA 5500 Series. It provides seamless and secure remote access to enterprise networks allowing installed applications to communicate as though connected directly to the enterprise network. AnyConnect supports connections to IPv4 and IPv6 resources over an IPv4 or IPv6 tunnel.
This document, written for system administrators of the AnyConnect Secure Mobility Client and the Adaptive Security Appliance (ASA) 5500, supplements the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.1 and provides release specific information for AnyConnect running on Windows Phone devices.
The AnyConnect app is available on the Windows Store only. Cisco does not distribute AnyConnect mobile apps. Nor can you deploy the mobile app from the ASA. You can deploy other releases of AnyConnect for desktop devices from the ASA while supporting this mobile release.
AnyConnect Mobile Support Policy
Cisco supports the AnyConnect version that is currently available in the app store; however, fixes and enhancements are provided only in the most recently released version.
AnyConnect Licensing
To connect to the ASA headend an AnyConnect 4.x Plus or Apex license is required, trial licenses are available, see the Cisco AnyConnect Ordering Guide.
For the latest end-user license agreement, see Cisco End User License Agreement, AnyConnect Secure Mobility Client, Release 4.x.
For our open source licensing acknowledgments, see Open Source Software Used In Cisco AnyConnect Secure Mobility Client Release 4.0 for Mobile
Windows Phone Supported Devices
Windows 10 Mobile Support
AnyConnect on Windows Mobile or Windows Phone is supported on mobile devices that run Microsoft Windows 10 Mobile.
Windows 10 Mobile is not intended for non-mobile Windows 10 devices. Cisco has a fully featured version of AnyConnect available for non-mobile devices, which is not distributed in the Windows store.
Windows Phone 8.1 Support
Note
“Effective December 31 2017, Cisco will no longer provide AnyConnect for Windows Phone 8.1 for new downloads in the Windows App Store. Microsoft has previously announced End of Support for this operating system https://support.microsoft.com/en-us/help/4001737/products-reaching-end-of-support-for-2017.
Till December 31, 2017 AnyConnect is also supported on mobile devices that run Microsoft Windows Phone 8.1 Update which includes the following versions: 8.10.14141.167, 8.10.14147.180, 8.10.14157.200, 8.10.14176.243, 8.10.14192.280, 8.10.14203.206, 8.10.14219.341, or 8.10.14226.359. The OS on the phone must be one of the listed versions in order for AnyConnect to work properly.
Users can verify their OS version at Windows Phone 8.1 update history.
on their device. For more OS version information see Microsoft's
Note
Earlier versions of Windows Phone 8.1 will allow AnyConnect installation, but it will not operate or be available to configure under
.See Windows Phone User Guide for Cisco AnyConnect Secure Mobility Client, Release 4.1.x for installation and upgrade procedures.
New Features in AnyConnect 4.1.03024 for Windows 10 Mobile Devices
AnyConnect 4.1.03024 is a release candidate for Cisco AnyConnect Secure Mobility Client on Windows Phone mobile devices. It includes these Resolved Issues in AnyConnect 4.1.03024 for Windows Phone.
Cisco recommends that you review the Guidelines and Limitations for AnyConnect on Windows 10 and Windows Phone 8.1 to be aware of current operational considerations.
See the Windows 10 Mobile and Phone 8.1 AnyConnect Feature Matrix for a list of supported features in this app.
New Features in AnyConnect 4.1.03017 for Windows 10 Mobile Devices
AnyConnect 4.1.03017 is a release candidate of Cisco AnyConnect Secure Mobility Client on Windows Phone mobile devices. See the Windows 10 Mobile and Phone 8.1 AnyConnect Feature Matrix for a list of supported features in this app.
Cisco recommends that you review the Guidelines and Limitations for AnyConnect on Windows 10 and Windows Phone 8.1 to be aware of current operational considerations.
Windows 10 Mobile and Phone 8.1 AnyConnect Feature Matrix
Category: Feature Windows Phone Deployment and Configuration:
Install or upgrade from Application Store Yes Cisco VPN Profile support (manual import) No Cisco VPN Profile support (import on connect) No MDM configured connection entries Yes User-configured connection entries Yes Tunneling:
TLS Yes Datagram TLS (DTLS) No IPsec IKEv2 NAT-T No IKEv2 - raw ESP No Suite B (IPsec only) No TLS compression No Dead peer detection No Tunnel keepalive No Multiple active network interfaces No Per App Tunneling (requires Plus or Apex license and ASA 9.4.2 or later) No Full tunnel (OS may make exceptions on some traffic, such as traffic to the app store) Yes Split tunnel (split include) Yes Local LAN (split exclude) No, defect in Windows Phone 8.1. Split-DNS Yes Auto Reconnect / Network Roaming Yes, if user remains on the same network and the network connection has not terminated. VPN on-demand (triggered by destination) Yes VPN on-demand (triggered by application) No Rekey Yes, initiated by gateway only. IPv4 public transport Yes IPv6 public transport Yes IPv4 over IPv4 tunnel Yes IPv6 over IPv4 tunnel Yes Default domain Yes DNS server configuration Yes Private-side proxy support Yes, limited support in Windows Phone 8.1. Proxy Exceptions No Public-side proxy support No Pre-login banner Yes Post-login banner Yes DSCP Preservation No Connecting and Disconnecting:
VPN load balancing Yes Backup server list No Optimal Gateway Selection No Authentication:
SAML 2.0 No Client Certificate Authentication Yes Online Certificate Status Protocol (OCSP) No Manual user certificate management Yes, using Windows Phone capabilities. Manual server certificate management Yes SCEP legacy enrollment Please confirm for your platform. No SCEP proxy enrollment Please confirm for your platform. No Automatic certificate selection Yes Manual certificate selection No Smart card support No Username and password Yes Tokens/challenge Yes Double authentication Yes Group URL (specified in server address) Yes Group selection (drop-down selection) Yes Credential prefill from user certificate Yes Save password No User interface:
Standalone GUI Yes, limited functions. Native OS GUI Yes API / URI Handler (see below) No UI customization No UI localization No User preferences Partial Home screen widgets for one-click VPN access No AnyConnect specific status icon No Mobile Posture: (AnyConnect Identity Extensions, ACIDex)
Serial number or unique ID check No OS and AnyConnect version shared with headend Yes URI Handling:
Add connection entry No Connect to a VPN No Credential pre-fill on connect No Disconnect VPN No Import certificate No Import localization data No Import XML client profile No External (user) control of URI commands No Reporting and Troubleshooting:
Statistics No Logging / Diagnostic Information (DART) Yes, Field Medic app required. Certifications:
FIPS 140-2 Level 1 No Adaptive Security Appliance Requirements
A minimum release of the ASA is required for the following features:
Note
Refer to the feature matrix for your platform to verify the availability of these features in the current AnyConnect mobile release.
Known Issues and Limitations
Guidelines and Limitations for AnyConnect on Windows 10 and Windows Phone 8.1
Performance is limited due to non-support of DTLS and IPsec/IKEv2.
VPN roaming (transitioning between WiFi and 3/4G networks) is not supported.
AnyConnect does not receive or process the AnyConnect VPN Profile from the Secure Gateway.
A user initiated disconnect does not cleanly disconnect from the head end. Cisco recommends you connect to ASA VPN groups with a small idle timeout to clear orphaned sessions on the ASA.
When the mobile device user is connecting to an ASA that does not have a valid mobile license, the user will get into a login loop, where after entering credentials the authentication will restart and eventually (after 5 attempts) send the user a generic error message: The VPN connection has failed with error code 602. Please contact your administrator and ensure that a valid mobile license is installed on the secure gateway
Known Compatibility Issues with AnyConnect on Windows 10 Mobile & Phone 8.1
Due to the implementation of some Windows apps, they are not supported when a VPN is connected.
The following Windows native apps have been tested and do not work: MSN Money, MSN Food and Drink, Health & Fitness, MSN News, Weather, MSN Sports. The following apps have been tested and operate successfully: xbox Music, xbox Games, xbox video, Podcasts
Due to an OS defect in Windows Phone 8.1 and Windows Phone 10, certain scenarios (intermittently seen during roaming/reconnects) will result in the inability to pass traffic.
After hitting this scenario, subsequent connection attempts will result in a 602 Error. You must reboot your device to work around this issue. We expect Microsoft to resolve this defect in Windows 10 Mobile and will work with Microsoft to expedite resolution.
Windows Phone 8.1 does not support automatic VPN reconnects if radio coverage is interrupted.
Specifically, automatic VPN reconnects are not supported when the phone switches from WiFi to cellular network (or vice versa) or when roaming from one WiFi network to another. Windows Phone 8.1 will attempt to automatically reconnect the VPN if radio coverage is maintained and connectivity to the VPN gateway is lost due to a temporary network disruption. In this case the operating system will attempt to reconnect the VPN when there is data to send through the tunnel. The operating system will try to reconnect the VPN either ten times, or for one minute, whichever happens first. After ten attempts or one minute the operating system will disconnect the VPN fully and user intervention will be required to reconnect.
Windows Phone 8.1 OS imposes the following policies regarding split tunnel VPN:
Both IPv4 and IPv6 split tunneling is supported, but if either IPv4 or IPv6 is set to tunnel all traffic then any split tunnel rules for the other address family are ignored and all IPv4 and IPv6 traffic will be tunneled.
In order to access hosts on the network when split tunnel VPN is configured, either split DNS or a default domain name must also be specified in the group policy configuration sent from the VPN gateway. Otherwise some hosts will be inaccessible.
Windows Phone 8.1 OS supports limited proxy configuration with the following considerations:
Windows Phone 8.1 OS does not support proxies on any port other than TCP 80. When the VPN server configuration includes a proxy server with a port number, AnyConnect strips the port number prior to applying the configuration to the VPN channel.
Furthermore, the Windows Phone 8.1 OS does not allow proxy exceptions to be applied to the VPN connection. Any proxy exceptions configured on the VPN server and delivered to AnyConnect will be silently ignored.
The automatic connection feature in the VPN Profile requires additional on-demand VPN configuration be done before you can save a profile. Without the additional on-demand configuration in place, you must turn the Connect automatically feature Off to Save the profile.
There is a known issue with certificate usage identification on Windows Phone OS version "8.10.14157.200" or earlier. Verify your OS version in
. To avoid this issue upgrade your Windows Phone if one is available in .Open and Resolved AnyConnect Issues
The Cisco Bug Search Tool, https://tools.cisco.com/bugsearch/, has detailed information about the following open and resolved issues in this release. A Cisco account is required to access the Bug Search Tool. If you do not have one, register at https://tools.cisco.com/RPF/register/register.do.
Copyright © 2015-2017, Cisco Systems, Inc. All rights reserved.