troubleshooting remote access - amazon web services · troubleshooting remote access ssl vpn in...

Troubleshooting Remote Access SSL VPN in BYOD Scenarios

Omar Santos

Email: [email protected]: @santosomar

BRKSEC-3050

• Introduction

• Troubleshooting AnyConnect Deployment Issues

• Advanced Remote Access SSL VPN Troubleshooting in the Cisco ASA

• Case Studies & Demos

• Q&A

Agenda

Introduction

Need Anywhere, Any Device Access• From Any Application, to Any Sensitive Data, by Any User

More Diverse Users

Working from More Places

Using More Devices

Accessing More Diverse

Applications, and

Passing Sensitive Data

Location Application

Device

Diverse Remote Access Use Cases

Remote-Access Requirements Vary Greatly

by User, Location, Desktop, and Other Criteria

Access from various devices

(e.g., kiosks, PDAs,

netbooks, laptops)

• Desktop is unmanaged;

support concerns are

complex

• Requires limited access to

corporate resources

• Requires consistent LAN-like

performance

• Requires greatest access

flexibility to accommodate

diverse devices and locations

Access requirements vary widely.

Security and access are critical

Mobile WorkerDisaster Recovery Supply Partner

Teleworker

• Access requirements

vary greatly; computers are

unmanaged or managed.

• Access needs to be limited

Contractor, Temp

Clientless SSL VPN

Kiosks Shared EnvironmentsQuick Access to Web Mail, Intranet Sites, TCP Applications

Client Based SSL VPNs

• Full Tunnel

• Enhanced Features

• TCP and UDP Support

Advanced Malware Protection (AMP) Enabler

• Used as a medium for deploying Advanced Malware Protection (AMP) for endpoints.

• Pushes the AMP for Endpoints software to the endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base.

Cisco AnyConect Secure Mobility Client

AnyConnect Package Deployment Options

Web Deployment Pre-Deployment

** Mobile users can download AnyConnect from

Apple’s App Store or Google Play

AnyConnect Package Filenames for Web-Deployment

OS AnyConnect Web-Deploy Package Name

Windows anyconnect-win-x.x.x-k9.pkg

Mac OS X anyconnect-macosx-i386-x.x.x-k9.pkg

Linux (64-bit) anyconnect-linux-64-x.x.x-k9.pkg

AnyConnect Package Filenames for Pre-Deployment

OS AnyConnect Web-Deploy Package Name

Windows anyconnect-win-<version>-pre-deploy-k9.iso

Mac OS X anyconnect-macosx-i386-<version>-k9.dmg

Linux (64-bit) anyconnect-predeploy-linux-64-<version>-k9.tar.gz

AnyConnect Main Screen & Modules

AnyConnect Modules:

• Network Access Manager (Formerly called the Cisco Secure Services Client)

• Posture Assessment

• AnyConnect Telemetry

• Web Security

• Diagnostic and Reporting Tool (DART)

• Start Before Logon (SBL)

• AnyConnect Customer Experience Feedback

AnyConnect Essentials

• AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the Cisco ASA, that provides the full AnyConnect capability, with the following exceptions:

• No CSD (including HostScan/Vault/Cache Cleaner)

• No clientless SSL VPN

• Optional Mobile Support

ASDM: Configuration > Remote Access VPN > Advanced > AnyConnect Essentials License

CLI: webvpn

anyconnect-essentials

AnyConnect User XML Profile…an XML File for User Profiles and Configuration Settings

In Windows stored in:

Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl

Mac and Linux:

/opt/cisco/vpn/profile/AnyConnectProfile.tmpl

The profile may be validated using the AnyConnectProfile.xsd file. This file is installed during installation

On Windows the preferences are stored in:

Documents and Settings\<user>\Application Data\Cisco\Cisco AnyConnect VPN

Client\preferences.xml

AnyConnect Profile Editor

• Simplifies the act of creating valid client profiles for various AnyConnect components.

• In AnyConnect 2.5, there was just one AnyConnect component (VPN) that could be configured using an ASDM-integrated Profile Editor.

• In AnyConnect 3.x, there are four AnyConnect components that can be configured using the Profile Editor:

1. VPN

2. NAM (Network Access Manager)

3. Web Security (ScanSafe)

4. Telemetry

Installation Issues

• Logging on Windows will utilize the Windows Event Viewer; review the log messages in Cisco AnyConnect VPN Client

• You can save the “Cisco AnyConnect VPN Client” log from the event viewerin “.evt” format

• Linux location: /var/log/messages

• Mac location: /var/log/system.log

Event Viewer Example…search for “anyconnect”

Video 1(AnyConnect Installation & Logs)

Video 2 (AnyConnect Connection)

AnyConnect for Mobile Devices

Apple iOS Support• AnyConnect for iPhone, iPad, and iPod Touch

Apple

iO

SD

evic

es

AnyConnect for iOS

Devices now support

Secure Socket Layer

(SSL) protocol and the

Datagram TLS (DTLS)

protocol, or Internet

Protocol Security

(IPsec) Internet Key

Exchange version 2

(IKEv2).

iPad Support• AnyConnect Supports all iPad models

iPa

d

Detailed Statistics and

Diagnostics Information

that are useful for

troubleshooting

iOS Device Support

• All iPad models

• All iPhone models since 3GS

• (4, 4s, 5, 5s, etc.)

• iPod Touch (3rd generation and above)

Detailed device list

iOS version 5.0 or later is required

ASA does not provide AnyConnect for Apple iOS distributions and updates.

Android Support

For Latest List of Supported Devices: http://cisco.com/go/anyconnect

• HTC Devices

• Samsung Devices

• Kindle

• AnyConnect ICS offers VPN

connectivity supported by the

Android VPN Framework (AVF) in

Android 4.0 (Ice Cream Sandwich)

or later.

• The AVF provides only basic VPN

connectivity. The AnyConnect client,

dependent upon these basic VPN

capabilities, is unable to provide the

full set of VPN features available in

the brand-specific packages.

• Rooted Devices

http://cisco.com/go/anyconnect

AnyConnect for Mobile Devices (Android Example)

Connection (on/off)

Create Connection Entry

Creating a Connection

1

2 3

Creating a Connection & Advanced Preferences

Connecting to the VPN Appliance (Cisco ASA)


ASA with self-signed cert


Authenticate


Connected

Connection Statistics

Detailed Statistics

Useful For Troubleshooting

Control Frames, Transport Information, etc.

Control Frames

Transport Information

FIPS Mode

Secured Routes (Split Tunneling)

Message Log

System Information

Detailed Memory Information

Permission InformationSystem Properties

Client Debugs

Cisco ASA Configuration & Troubleshooting with

Case Studies

Topology used in the Upcoming Examples

Internetoutside inside

management

209.165.200.224/27

Client

(AnyConnect)

192.168.1.0/24

10.10.10.0/24

.1

.1

.1

Management

(ASDM)

Corporate

Network

AnyConnect VPN Wizard• VPN Wizzards > AnyConnect VPN Wizzard

Select the

AnyConnect VPN

Wizard

Video 3 (AnyConnect Connection)

CLI Configurationwebvpnenable outsideanyconnect image disk0:/anyconnect-macosx-i386-4.1.00028-k9.pkg 1anyconnect enabletunnel-group-list enableerror-recovery disablegroup-policy GroupPolicy_myConnectionProfile internalgroup-policy GroupPolicy_myConnectionProfile attributeswins-server nonedns-server value 144.254.254.254vpn-tunnel-protocol ssl-clientdefault-domain value cisco.comgroup-policy IPSecGroupPolicy internalgroup-policy IPSecGroupPolicy attributesvpn-tunnel-protocol ikev1dynamic-access-policy-record DfltAccessPolicyusername omar password Mqv1MU8hcMVRS8Ik encrypted privilege 15username admin password g3POWf.DtBMQRdHc encrypted privilege 15tunnel-group myConnectionProfile type remote-accesstunnel-group myConnectionProfile general-attributesaddress-pool myIPv4Poolauthentication-server-group myRadiusGroupdefault-group-policy GroupPolicy_myConnectionProfiletunnel-group myConnectionProfile webvpn-attributesgroup-alias myConnectionProfile enableip local pool myIPv4Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0

In-Depth Troubleshooting

Authentication Problems• Debug = debug webvpn 255

WebVPN: started user authentication...

webvpn_free_auth_struct: net_handle = 0xc839fc30

webvpn_allocate_auth_struct: net_handle = 0xc839fc30

webvpn_free_auth_struct: net_handle = 0xc839fc30

webvpn_auth.c:webvpn_aaa_callback[5107]

WebVPN: AAA status = (ERROR)

WebVPN: callback data is not valid!!

webvpn_remove_auth_handle: auth_handle = 5

WebVPN: calling AAA with ewsContext (-925550560) and nh (-

927982512)!

WebVPN: started user authentication...

WebVPN: AAA status = (ACCEPT)

WebVPN: user: (user1) authenticated.

Good Authentication

Bad Authentication

RADIUS Authentication Problems• Debug = debug radius

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 150).....

01 11 00 96 53 90 89 8e af bc 45 9a cb a8 c1 66 | ....S.....E....f

a7 54 fd f2 01 07 75 73 65 72 31 02 12 07 6f 5c | .T....user1...o\

c4 03 ae cf cc bf df ec 1d 58 0f 31 38 05 06 00 | .........X.18...

00 70 00 1e 11 32 30 39 2e 31 36 35 2e 32 30 30 | .p...209.165.200

2e 32 32 35 1f 11 32 30 39 2e 31 36 35 2e 32 30 | .225..209.165.20

30 2e 32 32 36 3d 06 00 00 00 05 42 11 32 30 39 | 0.226=.....B.209

2e 31 36 35 2e 32 30 30 2e 32 32 36 04 06 0a 0a | .165.200.226....

0a fe 1a 24 00 00 00 09 01 1e 69 70 3a 73 6f 75 | ...$......ip:sou

72 63 65 2d 69 70 3d 32 30 39 2e 31 36 35 2e 32 | rce-ip=209.165.2

30 30 2e 32 32 36 | 00.226

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 17 (0x11)

Radius: Length = 150 (0x0096)

Radius: Vector: 5390898EAFBC459ACBA8C166A754FDF2

Radius: Type = 1 (0x01) User-Name


Radius: Value (String) =

75 73 65 72 31 | user1

Radius: Type = 2 (0x02) User-Password


send pkt 172.18.104.83/1645

RADIUS_SENT:server response timeout

RADIUS_DELETE

remove_req 0xcbeb5d00 session 0x14 id 17

RADIUS Server not Responding

Domain Authentication Problem• Debug = debug ntdomain

smb: negotiate phase failed: syserr = Network is down

Cifs_Connect_Server() returned FALSE, error_code = 18

ntdomain_process_ntinfo - state is NTDOMAIN_DELETE

INFO: Attempting Authentication test to IP address

<172.18.85.123> (timeout: 12 seconds)

ERROR: Authentication Server not responding: No error

Domain Controller Communication Problem

Note: In this Example the Administrator Attempts to Authenticate to the Active Directory Server Using the TEST Utility Within ASDM

Authentication Test Utility

Using the CLI:

test aaa-server authentication NYGroup host 172.18.85.123 user domainuser password 123qweasd

Additional Authentication Debugs

You can combine the debugs listed above with the debug webvpnand debug aaa common when troubleshooting clientless authentication problems.

For Your

Reference

Additional Clientless SSL VPN Debugs• CIFS, NFS, Citrix, JavaScript

Problem Debug Command

Accessing CIFS Shares debug webvpn cifs (1-255)

Accessing NFS Shares debug webvpn nfs (1-255)

Citrix Connection Problems debug webvpn citrix (1-255)

JavaScript Mangling Problems

(user specific)

debug webvpn javascript trace user omar

For Your

Reference

Useful Show Commandsshow vpn-sessiondb

asa# show vpn-sessiondb

---------------------------------------------------------------------------

VPN Session Summary

---------------------------------------------------------------------------

Active : Cumulative : Peak Concur : Inactive

----------------------------------------------

AnyConnect Client : 12 : 22 : 12 : 0

SSL/TLS/DTLS : 12 : 22 : 12 : 0

---------------------------------------------------------------------------

Total Active and Inactive : 12 Total Cumulative : 22

Device Total VPN Capacity : 25

Device Load : 0%

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Tunnels Summary

---------------------------------------------------------------------------

Active : Cumulative : Peak Concurrent

----------------------------------------------

AnyConnect-Parent : 12 : 22 : 12

SSL-Tunnel : 12 : 22 : 12

DTLS-Tunnel : 12 : 22 : 12

---------------------------------------------------------------------------

Totals : 12 : 6

Useful Show Commands (cont.)show vpn-sessiondb additional options

asa# show vpn-sessiondb ?

exec mode commands/options:

anyconnect AnyConnect sessions

detail Show detailed output

email-proxy Email-Proxy sessions

full Output formatted for data management programs

index Index of session

l2l IPsec LAN-to-LAN sessions

license-summary Show VPN License summary

ra-ikev1-ipsec IKEv1 IPsec/L2TP-IPsec Remote Access sessions

ratio Show VPN Session protocol or encryption ratios

summary Show VPN Session summary

vpn-lb VPN Load Balancing Mgmt sessions

webvpn WebVPN sessions

| Output modifiers

Video 4 (Debugs – Good Authentication)

Video 5 (Debugs – Bad Authentication)

Dynamic Access Policies (DAP)

Dynamic Access PoliciesGranular Control

Who?

How?

What?Where?

• Employee

• Partner

• Customer

• Guest

• Home

• Corporate Premises

• Kiosk

• Branch Office

• Client-Based

• Clientless

• Mobile

• Secured and Unsecured

• Applications

• Data

• Resources

Mobile Posture

• Additional access authorization capabilities based on endpoint

• Cisco ASA 8.4.2+ and 8.2.5+

• Android 2.4.0/3.x and Apple iOS 2.5.0/3.x

• AnyConnect 3.1+

Example of a Pre-Login Assessment• Only configured via ASDM

Configured in a

graphical sequence

to determine whether

the pre-login

assessment results in

the assignment of a

particular policy or a

denied remote access

connection.

DAP AAA Configuration AttributesCisco Proprietary, LDAP and RADIUS

Attribute Type Attribute Name Source Value Max String Length

Description

Cisco aaa.cisco.grouppolicy AAA String 128 Group Policy Name

aaa.cisco.username AAA String 64 Username value

aaa.cisco.ipaddress AAA Number - Framed-ip address value

aaa.cisco.tunnelgroup AAA String 64 Tunnel-group name

LDAP aaa.ldap.<label> LDAP String 128 LDAP attribute value pair

RADIUS aaa.radius.<number> RADIUS String 128 Radius attribute value pair

For Your

Reference

Dynamic Access Policies (DAP) Configuration

• Default action for Default Access Policy is “Continue”

• Add policy with assessments and change Default Policy to include actions for non-complaint end systems or “Terminate”

ASDM


The ASA obtains endpoint

security attributes by using

posture assessment

methods. These include

Cisco Secure Desktop and

HostScan

DAP complements the AAA

process and uses AAA

authorization attributes for

policy mapping


• After the End point

assessment the action to

assign the user with the

attribute is set

• Assignment of Network ACL

filters, Webtype-ACL filters,

Functions, Access method,

Port Forwarding Lists and URL

Lists is done on the access

policy attribute section

Debugging CSD and DAP

ASA(config)# debug dap trace

The DAP policy contains the following attributes:

-------------------------------------------------

1: action = continue

DAP_open: C9EEE930

DAP_add_CSD: csd_token = [4287F77A4F7347A553F4619C]

[ 0]: aaa.cisco.username = user2

[ 1]: aaa.cisco.tunnelgroup = DefaultWEBVPNGroup

dap_add_to_lua_tree:aaa["cisco"]["username"] = "user2";

dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";

dap_clienttype_to_string(3) returns CLIENTLESS

dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "CLIENTLESS";

dap_add_csd_data_to_lua:

endpoint.os.version = "Windows XP";

endpoint.os.servicepack = "2";

endpoint.location = "Default";

endpoint.protection = "secure desktop";

endpoint.fw["MSWindowsFW"] = {};

endpoint.fw["MSWindowsFW"].exists = "true”;

Debugging CSD and DAPContinuation of the “debug dap trace” output…

endpoint.fw["MSWindowsFW"].description = "Microsoft Windows Firewall";

endpoint.fw["MSWindowsFW"].enabled = "true";

endpoint.av["McAfeeAV"] = {};

endpoint.av["McAfeeAV"].exists = "true";

endpoint.av["McAfeeAV"].description = "McAfee VirusScan Enterprise";

endpoint.av["McAfeeAV"].version = “9.8.0";

endpoint.av["McAfeeAV"].activescan = "true";

endpoint.av["McAfeeAV"].lastupdate = "132895";

endpoint.as["SpyBot"] = {};

endpoint.as["SpyBot"].exists = "true";

endpoint.as["SpyBot"].description = "Spybot - Search & Destroy 1.4";

endpoint.as["SpyBot"].version = "1.4";

endpoint.as["SpyBot"].activescan = "false";

endpoint.as["SpyBot"].lastupdate = "996895";

endpoint.enforce = "success";

Selected DAPs: McAfee-7,SpyBot

dap_request: memory usage = 19%

dap_process_selected_daps: selected 3 records

dap_aggregate_attr: rec_count = 3

DAP_close: C9EEE930

Case Study 1: Authentication Problems

Problem Summary

User calls your VPN support staff and complains that his AnyConnect VPN

connection “is not working”!

What can you

do to

troubleshoot?

Debug and Show Command ToolkitFirst, let’s take a look at some debugs you can use.

show vpn-sessiondb anyconnect filter p-ipaddress

100.1.1.1

debug webvpn anyconnect

debug aaa common

debug webvpn anyconnect 255…good authentication

ciscoasa# webvpn_rx_data_tunnel_connect

CSTP state = HEADER_PROCESSING

http_parse_cstp_method()

...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'

webvpn_cstp_parse_request_field()

...input: 'Host: 209.165.200.225'

Processing CSTP header line: 'Host: 209.165.200.225'

webvpn_cstp_parse_request_field()

...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629'

Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629'

Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.0.0629'

…<output omited>

Validating address: 0.0.0.0

CSTP state = WAIT_FOR_ADDRESS

webvpn_cstp_accept_address: 10.10.20.1/255.255.255.0

webvpn_cstp_accept_ipv6_address: No IPv6 Address

CSTP state = HAVE_ADDRESS

…<output omited>

SVC: adding to sessmgmt

SVC: Sending response

Sending X-CSTP-FW-RULE msgs: Start

Sending X-CSTP-FW-RULE msgs: Done

Sending X-CSTP-Quarantine: false

Sending X-CSTP-Disable-Always-On-VPN: false

vpn_put_uauth success!

CSTP state = CONNECTED0

debug aaa common…bad communication to the server

radius mkreq: 0x19

alloc_rip 0xcbeb5d00

new request 0x19 --> 20 (0xcbeb5d00)

got user 'user1'

got password

add_req 0xcbeb5d00 session 0x19 id 20

RADIUS_REQUEST

radius.c: rad_mkpkt

RADIUS packet decode (authentication request)

--------------------------------------

Raw packet data (length = 63).....

01 14 00 3f b2 03 80 b9 fe 5f ac 75 0a 7b 98 f1 | ...?....._.u.{..

d6 57 44 2d 01 07 75 73 65 72 31 02 12 5e 31 87 | .WD-..user1..^1.

3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 04 06 0a | =.........L.x...

0a 0a fe 05 06 00 00 00 02 3d 06 00 00 00 05 | .........=.....

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 20 (0x14)

Radius: Length = 63 (0x003F)

Radius: Vector: B20380B9FE5FAC750A7B98F1D657442D

Radius: Type = 1 (0x01) User-Name



75 73 65 72 31 | user1

Radius: Type = 2 (0x02) User-Password

CONTINUED IN THE NEXT SLIDE

debug aaa common…bad communication to the server

…CONTINUED FROM THE PREVIOUS SLIDE



5e 31 87 3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 | ^1.=.........L.x

Radius: Type = 4 (0x04) NAS-IP-Address


Radius: Value (IP Address) = 10.10.10.254 (0x0A0A0AFE)

Radius: Type = 5 (0x05) NAS-Port


Radius: Value (Hex) = 0x2

Radius: Type = 61 (0x3D) NAS-Port-Type



send pkt 172.18.104.83/1645

RADIUS_SENT:server response timeout

callback_aaa_task: status = -2, msg =

RADIUS_DELETE

remove_req 0xcbeb5d00 session 0x19 id 20

free_rip 0xcbeb5d00

radius: send queue empty

First Problem Fixed…but the user still cannot connect

• We fixed the previous problem. The Cisco ASA had the wrong IP address for the AAA server.

• The correct IP address is 172.18.118.206 not 172.18.104.83.

• However, authentication still not successful. What’s the problem?

<output omitted for brevity>



send pkt 172.18.118.206/1645

fail request 0x1c (172.18.118.206 failed)

callback_aaa_task: status = -2, msg =

RADIUS_DELETE

remove_req 0xcbeb5d00 session 0x1c id 23

free_rip 0xcbeb5d00

radius: send queue empty

What was the Problem?

The problem was that the AAA server didn’t have the correct NAS (AAA Client address) for the ASA. It had 10.10.10.54 instead of 10.10.10.254

You can also use the show aaa-server command to view statistics on

AAA transactions asa# show aaa-server my-radius

Server Group: my-radius

Server Protocol: radius

Server Address: 172.18.118.206

Server port: 1645(authentication), 1646(accounting)

Server status: ACTIVE, Last transaction at 11:49:09 UTC Fri Jun 1 2012

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 11

Number of authorization requests 0

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 1

Number of rejects 5

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 5

Number of unrecognized responses 0

Case Study 2: User Connects But Cannot Pass Traffic

Problem Summary

User is able to authenticate…but cannot pass traffic….

What can you do

to troubleshoot?

Split Tunneling Issue?• AnyConnect Route Details – Are we doing split tunneling?

Statistics After Connection• What’s the problem here?

0

0

0

0

0

Internal Routing Problem• Routing Behind the ASA

Internetoutside inside

Client

(AnyConnect)

VPN Pool:

10.10.20.0/24

.254

Corporate

Network

Where is 10.10.20.x?

The internal router must have a route for the VPN IP Address Pool (10.10.20.0/24)

What Other Things Can Cause the Same Symptoms?

ACLs Blocking Traffic

My name is ACL

I am a packet

Bypass Interface ACLs

You can require an access rule to apply to the local

IP addresses by unchecking this check box. The

access rule applies to the assigned IP address, and

not to the original client IP address used before

the VPN packet was decrypted.

ciscoasa# show run sysopt

no sysopt connection permit-vpn

Troubleshooting Split Tunneling Issues

Split Tunneling Introduction

Split tunneling lets you specify that certain data

traffic is encrypted, while the remainder is sent

in the clear (unencrypted).

Split-tunneling network lists distinguish

networks that require traffic to go through the

tunnel from those that do not require tunneling.

The ASA makes split-tunneling decisions

based on a network list, which is an ACL

consisting of a list of addresses on the private

network.

Troubleshooting Split Tunneling

Step 1: Ask your user to go to Route Details and check if the split tunneling list/routes are there…

Troubleshooting Split Tunneling …continued

Step 2. If your user’s client does not have the correct routes, check that your ASA has the

correct access lists for split tunneling for the group the user is connecting.

Step 3. Enable debug webvpn svc <1-255> and look for the following messages:

SVC ACL Name: NULL

SVC ACL ID: -1

SVC ACL ID: -1

If you see those messages, the split tunneling information is NOT being sent to the client.

Overview of AnyConnectNetwork Access Manager

(NAM)

Cisco Network Access Manager

• Enterprise-focused connection management

• Wired (802.3) and wireless (802.11) connectivity through a single authentication framework

• Layer-2 user and device authentication:

• 802.1X, 802.1X-REV (wired key establishment)

• 802.1AE(MACsec: wired encryption)

• Support for numerous EAP types

• 802.11i (Robust Security Network)

• Supports for both admin (office) and user (home) network configurations

NAM Features and Support

• Supports these main features:

• Wired (IEEE 802.3) and wireless (IEEE 802.11) network adapters

• Pre-login authentication using Windows machine credentials

• Single sign-on user authentication using Windows logon credentials

• Simplified and easy-to-use IEEE 802.1X configuration

• IEEE MACsec wired encryption and enterprise policy control

• EAP methods: EAP-FAST, PEAP, EAP-TTLS, EAP-TLS, and LEAP (EAP-MD5, EAP-GTC, and EAP-MSCHAPv2 for IEEE 802.3 wired only)

NAM Statistics• Similar to VPN Statistics View

NAM Message History

IKEv2 Support and Troubleshooting

IPSec IKEv2 Support (cont.)

Some AnyConnect features require a parallel SSL connection:

• CSD HostScan

• Profile updates

• Language/Customization

• Application upgrades

• SCEP

IPSec IKEv2 Support

IKEv2 support uses Cisco’s IKEv2 implementation:

• IKEv2 toolkit is common in client, ASA and IOS

• Standards-based implementation

• Includes a few extensions (fragmentation, redirect)

• Same authentication methods supported previously with SSL VPN

• Uses proprietary EAP method (AnyConnect EAP)

Not Supported in IKEv2

• Windows 7 IKEv2 client or any other 3rd-party IKEv2 client

• HW client support for IKEv2 (5505 as a head-end using IKEv2 is supported)

• Pre-shared-key authentication for client or server

• IKEv2 encryption for load-balancing link to other ASAs

• cTCP, L2TP

• Re-authentication

• Peer ID check

• Compression/IPcomp

• NAC

• 3rd party firewall configuration

New IKEv2 Configuration Commands

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 remote-access trust-point my-ikev2-trustpoint

crypto ikev2 enable outside

crypto ikev2 cookie-challenge 50

crypto ikev2 limit max-sa 100

ikev2 remote-authentication certificate my-ikev2-trustpoint

More Configuration Tips and Examples at:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html

IKEv2 Debug Commands…debugs specific for IKEv2

Debugs ASA processing of IKEv2, not protocol specific exchanges.

This debug is useful for AAA and session management issues. Also to troubleshoot

the ASA cryptographic module performing encryption and decryption.

debug crypto ikev2 platform

Debugs IKEv2 protocol specific exchanges.

debug crypto ikev2 protocol

Debugs IKEv2 timer expiration. Useful when clients are complaining that their

connection is being timed-out too often.

debug crypto ikev2 timer

Note: debug crypto ike-common can be used for both IKEv1 and IKEv2

Advanced Troubleshooting with

DART

AnyConnect Diagnostics and Reporting Tool…useful for troubleshooting AnyConnect installation and connection problems

1

To Launch DART go to

the Status Overview

Tab and click on

Diagnostics…

DART Wizard

Under Bundle Creation Option, select Default or Custom. The Default option includes the typical log files and

diagnostic information. DARTBundle.zip is saved to the local desktop. If you choose Custom, the DART wizard

allows you to specify where and what files want to include in the bundle.

2 3

DART Wizard…continued

3 4

Video 6 (DART)

Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

• Your favorite speaker’s Twitter handle @santosomar

• Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could Be a Winner

http://bit.ly/CLUSwin

Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.

Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

• Related sessions

Thank you