Contents

Introduction

This document discusses the specific scenario where the AnyConnect client might reconnect to the Adaptive Security Appliance (ASA) in exactly one minute. The users might not be able to receive traffic over the Transport Layer Security (TLS) tunnel until AnyConnect reconnects. This is dependent upon a few other factors which are discussed in this document.

Complete Cisco AnyConnect Secure Mobility Client for Windows, Mac OS X 'Intel' and Linux (x86 & x64) platforms for Cisco IOS Routers & ASA Firewall Appliances. Release Date: 1st April 2013 Version: 3.1.03103 Files included: - anyconnect-win-3.1.03103-k9.pkg - Web deployment package for Windows platforms. Cisco AnyConnect VPN Client for Windows anyconnect-win-3.1.00495-pre-deploy-k9.msi (32-bit and 64-bit Computers) Filesize: 3.88 MB Cisco AnyConnect VPN Client for Windows. Cisco AnyConnect Free Download - Give any user highly secure access to the enterprise network, from any device, at any time, in any location. Cisco Anyconnect 3.1 Download Mac. Thank you for using our Mac software library. Unfortunately, there is no direct download for the Mac version of Cisco AnyConnect Secure Mobility Client. To download the product, proceed to the developer's site via the link below. FDMLib cannot ensure the security of software that is hosted on third-party sites. The Cisco AnyConnect Secure Mobility Client helps enable built-in web security and malware threat defense as part of the Cisco AnyConnect Secure Mobility solution. You now have a choice in supplementing employee access to corporate resources from advanced mobile devices and different locations with a consistent, context-aware security policy.

Affected Components

• ASA Release 9.0 or Release 9.1
• AnyConnect Client Release 3.0 or Release 3.1

Symptoms

In this example, the AnyConnect client is shown as it reconnects to the ASA.

This syslog is seen on the ASA:

Problem Description

These Diagnostics and Reporting Tool (DART) logs are seen with this issue:

Causes

The cause of this issue is the failure to build a Datagram Transport Layer Security (DTLS) tunnel. This could be because of two reasons:

• DTLS is blocked somewhere in the path

• Use of a non-default DTLS port

DTLS is Blocked Somewhere in the Path

As of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.

As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect).

Resolution

In order to eliminate this visible transition of DTLS > TLS, the administrator can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).

Cisco Anyconnect 3.1 Download For Windows 10

1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.

   This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.

2. The second option is to allow fragmentation.

   With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.

3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:

   In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.

Use of a Non-default DTLS Port

Another potential cause for the DTLS failure is enabling DTLS on a non-default port after the WebVPN is enabled (for example, when the webvpn enable outside command is entered). This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.

After the TLS tunnel is established, the client attempts to establish the DTLS tunnel to port 444 as expected :

The order of the commands that lead to the problem and the accelerated security path (ASP) table sockets opened is:

1. Start with the WebVPN sockets not enabled.

2. Change TLS port to 444 and enable WebVPN.

3. Change the DTLS port to 444.

Note: The DTLS socket port is still 443. At this point the AnyConnect clients establish DTLS to 444 though!

Resolution

The workaround for this problem is to follow the order of :

1. Disable the WebVPN.

2. Enter the DTLS port.

3. Enable the WebVPN.

This behaviour does not exist in Release 8.4.x versions, where the DTLS sockets get updated with the configured ports immediately after the configuration is entered:

ASA Release 8.4.6 :

Reconnect Workflow

Cisco Vpn Anyconnect 3.1 Mac Download

Suppose that these ciphers are configured:

This sequence of events takes place in this case:

• AnyConnect establishes a parent tunnel and a TLS data tunnel with RC4-SHA as the SSL encryption.
• DTLS is blocked in the path and a DTLS tunnel cannot be established.
• ASA announces parameters to AnyConnect, which includes TLS and DTLS MTU values, which are two separate values.
• DTLS MTU is 1418 by default.
• TLS MTU is calculated from the sysopt conn tcpmss value (default is 1380). This is how the TLS MTU is derived (as seen from the debug webvpn anyconnect output):
  
• AnyConnect brings the VPN adapter up and assigns DTLS MTU to it in anticipation that it will be able to connect via DTLS.
• The AnyConnect client is now connected and the user goes to a particular website.
• The browser sends TCP SYN and sets MSS = 1418-40 = 1378 in it.
• The HTTP-server on the inside of the ASA sends packets of size 1418.
• The ASA cannot put them into the tunnel and cannot fragment them as they have Don't Fragment (DF) bit set.
• ASA printsand drops packets with mp-svc-no-fragment-ASP drop reason.
• At the same time the ASA sends ICMP Destination Unreachable, Fragmentation Needed to the sender:
  
• If Internet Control Message Protocol (ICMP) is allowed, then the sender retransmits dropped packets and everything starts to work. If ICMP is blocked, then traffic is blackholed on the ASA.
• After several retransmits it understands that the DTLS tunnel cannot be established and it needs to reassign a new MTU value to the VPN adapter.
• The purpose of this reconnect is to assign a new MTU.

For more information on reconnect behavior and timers, see AnyConnect FAQ: Tunnels, Reconnect Behavior, and the Inactivity Timer

Caveats

Cisco bug ID CSCuh61321 AC 3.1:ASA incorrectly handles alternate DTLS port,causes reconnect

Related Information

The guarantee of Cisco Security

Imagine taking your corporate laptop and smartphone to wherever you feel most comfortable: public transport, a coffee shop, or a swanky hotel conference room. These are all public spaces where your personal information is at risk. When you jump unto an open WiFi connection, your device is exposed to possible phishing scams and data breaches. Instead of being confined to your desk, check out Cisco AnyConnect and experience freedom in working here and there, and everywhere. The infinite protection was created to ensure your organization is safe and protected no matter where you are. As a unified security endpoint agent, it delivers multiple security services for all. It has a wide range of security services like remote access, posture enforcement, web security features, and roaming protection. Overall, it has all the features necessary to provide a heavily-armed and highly secure experience for any user.

Gold-standard in cyber security

Protect yourself from hacking and data breaches with the best cyber security program available today

The Cisco AnyConnect Secure Mobility Client has raised the bar for end users who are looking for a secure network. No matter what operating system you or your workplace uses, Cisco enables highly secure connectivity for every device. As a mobile worker roaming to different locations, the always-on intelligent VPN efficiently adapts to a tunneling protocol. For example, AnyConnect’s Datagram Transport Layer Security (DTLS) thrives in offices that are constantly on VoIP applications. The impenetrable security keeps all your calls, messages, and files safe from outsiders. In AnyConnect version 4.4, you’ll experience a wide range of endpoint security services and streamlined IT operations from a single unified agent. Achieve tighter security controls and enable direct, highly secure, per-application access to corporate resources in Cisco’s mobile per-application VPN services. Trust AnyConnect’s strong compliance capabilities to block an endpoint’s compromised state and isolating the integrity of your company’s network. This is possible because of the software’s endpoint posture assessment and remediation capabilities of wired, wireless and VPN environments that are in conjunction with Cisco Identity Services Engine 1.3. Any out-of-compliance endpoints get automated remediation actions or commands based on policy requirements.

Work anywhere

Monitor endpoint application usage both on an off-premises with AnyConnect’s Network Visibility Module. Whether you use Windows or Mac OS X platforms, you can uncover potential behavior anomalies. It will assist you to make more informed network and service design decisions, which is always of big help. You can also share rich contextual data from the AnyConnect Network Visibility Module to the growing number of Internet Protocol Flow Export (IPFIX)-capable network-analysis tools. Of course, the AnyConnect client offers basic web security and malware threat defense. Choose from any of the built-in features like the premise-based Cisco Web Security Appliance, cloud-based Cisco Web Security, or Cisco Umbrella Roaming. Along with remote access, the comprehensive and highly secure enterprise mobility solution automatically blocks phishing and command-and-control attacks. Work in a protected and productive work environment by operating with consistent, context-aware security policies.

Connect with Ease

AnyConnect 4.4 offers simplified licensing to meet your company’s needs. The AnyConnect Plus includes basic VPN services such as device and per-application VPN, trusted network detection, basic device context collection, and Federal Information Processing Standards (FIPS) compliance. This plan also offers non-VPN related services like AnyConnect Network Access Manager, Cloud Web Security module, and the Cisco Umbrella Roaming module. The second and more advanced offer is AnyConnect Apex. This plan includes more advanced cybersecurity measures like endpoint posture checks, network visibility, next-generation VPN encryption, and clientless remote access VPN.

Whether you choose the Plus or Apex plan, Cisco guarantees that both licenses eliminate the need to purchase per headend connections and dedicated license servers. You must also think that Apex offers all Plus license functionality. In this case, only one type of license is required for each user. This model lets you design and combine license tiers in one network, shifting licensing from simultaneous connections to total unique users.

Where can you run this program?

AnyConnect version 4.4 is compatible with these operating systems and requirements: Windows, Mac, Android and iPhone

Is there a better alternative?

Cisco AnyConnect is an unbeatable provider of cybersecurity. But, creating your best work often needs strong, reliable and fast WiFI. With IPVanish, you can get the best of both worlds. Enjoy high-speed internet in a secure and private connection with this virtual private network app. The VPN service assures you that all your devices are protected from outside computers, smartphones, and routers. Their 360-degree approach to protection keeps you safe from hackers and snoopers, and at the same time, offers unlimited bandwidth on all platforms. This is a perfect match for you if you need supreme internet connectivity and cyber security.

Our take

Cisco AnyConnect Secure Mobility is a great solution for creating a flexible working environment. Work anywhere on any device while always protecting your interests and assets from Internet-based threats. Its availability does depend on Cisco hardware, but it is a minor-added expense to the safest cyber security network available today.

Should you download it?

Yes. It is an excellent investment, and definitely worth downloading to your smartphone and PC.

Highs

• Complete user access
• Insightful user and endpoint behavior
• Single agent management
• Multiple Integrations

Cisco Anyconnect 3.1 Download For Windows 10

Cisco AnyConnect Secure Mobility Clientfor Windows

Install Cisco Anyconnect

4.9.06037