Troubleshooting Remote Access - Amazon Web Services · Troubleshooting Remote Access SSL VPN in...
Transcript of Troubleshooting Remote Access - Amazon Web Services · Troubleshooting Remote Access SSL VPN in...
Troubleshooting Remote Access SSL VPN in BYOD Scenarios
Omar Santos
Email: [email protected]: @santosomar
BRKSEC-3050
• Introduction
• Troubleshooting AnyConnect Deployment Issues
• Advanced Remote Access SSL VPN Troubleshooting in the Cisco ASA
• Case Studies & Demos
• Q&A
Agenda
Need Anywhere, Any Device Access• From Any Application, to Any Sensitive Data, by Any User
More Diverse Users
Working from More Places
Using More Devices
Accessing More Diverse
Applications, and
Passing Sensitive Data
Location Application
Device
Diverse Remote Access Use Cases
Remote-Access Requirements Vary Greatly
by User, Location, Desktop, and Other Criteria
Access from various devices
(e.g., kiosks, PDAs,
netbooks, laptops)
• Desktop is unmanaged;
support concerns are
complex
• Requires limited access to
corporate resources
• Requires consistent LAN-like
performance
• Requires greatest access
flexibility to accommodate
diverse devices and locations
Access requirements vary widely.
Security and access are critical
Mobile WorkerDisaster Recovery Supply Partner
Teleworker
• Access requirements
vary greatly; computers are
unmanaged or managed.
• Access needs to be limited
Contractor, Temp
Clientless SSL VPN
Kiosks Shared EnvironmentsQuick Access to Web Mail, Intranet Sites, TCP Applications
Advanced Malware Protection (AMP) Enabler
• Used as a medium for deploying Advanced Malware Protection (AMP) for endpoints.
• Pushes the AMP for Endpoints software to the endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base.
AnyConnect Package Deployment Options
Web Deployment Pre-Deployment
** Mobile users can download AnyConnect from
Apple’s App Store or Google Play
AnyConnect Package Filenames for Web-Deployment
OS AnyConnect Web-Deploy Package Name
Windows anyconnect-win-x.x.x-k9.pkg
Mac OS X anyconnect-macosx-i386-x.x.x-k9.pkg
Linux (64-bit) anyconnect-linux-64-x.x.x-k9.pkg
AnyConnect Package Filenames for Pre-Deployment
OS AnyConnect Web-Deploy Package Name
Windows anyconnect-win-<version>-pre-deploy-k9.iso
Mac OS X anyconnect-macosx-i386-<version>-k9.dmg
Linux (64-bit) anyconnect-predeploy-linux-64-<version>-k9.tar.gz
AnyConnect Main Screen & Modules
AnyConnect Modules:
• Network Access Manager (Formerly called the Cisco Secure Services Client)
• Posture Assessment
• AnyConnect Telemetry
• Web Security
• Diagnostic and Reporting Tool (DART)
• Start Before Logon (SBL)
• AnyConnect Customer Experience Feedback
AnyConnect Essentials
• AnyConnect Essentials is a separately licensed SSL VPN client, entirely configured on the Cisco ASA, that provides the full AnyConnect capability, with the following exceptions:
• No CSD (including HostScan/Vault/Cache Cleaner)
• No clientless SSL VPN
• Optional Mobile Support
ASDM: Configuration > Remote Access VPN > Advanced > AnyConnect Essentials License
CLI: webvpn
anyconnect-essentials
AnyConnect User XML Profile…an XML File for User Profiles and Configuration Settings
In Windows stored in:
Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl
Mac and Linux:
/opt/cisco/vpn/profile/AnyConnectProfile.tmpl
The profile may be validated using the AnyConnectProfile.xsd file. This file is installed during installation
On Windows the preferences are stored in:
Documents and Settings\<user>\Application Data\Cisco\Cisco AnyConnect VPN
Client\preferences.xml
AnyConnect Profile Editor
• Simplifies the act of creating valid client profiles for various AnyConnect components.
• In AnyConnect 2.5, there was just one AnyConnect component (VPN) that could be configured using an ASDM-integrated Profile Editor.
• In AnyConnect 3.x, there are four AnyConnect components that can be configured using the Profile Editor:
1. VPN
2. NAM (Network Access Manager)
3. Web Security (ScanSafe)
4. Telemetry
Installation Issues
• Logging on Windows will utilize the Windows Event Viewer; review the log messages in Cisco AnyConnect VPN Client
• You can save the “Cisco AnyConnect VPN Client” log from the event viewerin “.evt” format
• Linux location: /var/log/messages
• Mac location: /var/log/system.log
Apple iOS Support• AnyConnect for iPhone, iPad, and iPod Touch
Apple
iO
SD
evic
es
AnyConnect for iOS
Devices now support
Secure Socket Layer
(SSL) protocol and the
Datagram TLS (DTLS)
protocol, or Internet
Protocol Security
(IPsec) Internet Key
Exchange version 2
(IKEv2).
iPad Support• AnyConnect Supports all iPad models
iPa
d
Detailed Statistics and
Diagnostics Information
that are useful for
troubleshooting
iOS Device Support
• All iPad models
• All iPhone models since 3GS
• (4, 4s, 5, 5s, etc.)
• iPod Touch (3rd generation and above)
Detailed device list
iOS version 5.0 or later is required
ASA does not provide AnyConnect for Apple iOS distributions and updates.
Android Support
For Latest List of Supported Devices: http://cisco.com/go/anyconnect
• HTC Devices
• Samsung Devices
• Kindle
• AnyConnect ICS offers VPN
connectivity supported by the
Android VPN Framework (AVF) in
Android 4.0 (Ice Cream Sandwich)
or later.
• The AVF provides only basic VPN
connectivity. The AnyConnect client,
dependent upon these basic VPN
capabilities, is unable to provide the
full set of VPN features available in
the brand-specific packages.
• Rooted Devices
Control Frames, Transport Information, etc.
Control Frames
Transport Information
FIPS Mode
Secured Routes (Split Tunneling)
Topology used in the Upcoming Examples
Internetoutside inside
management
209.165.200.224/27
Client
(AnyConnect)
192.168.1.0/24
10.10.10.0/24
.1
.1
.1
Management
(ASDM)
Corporate
Network
CLI Configurationwebvpnenable outsideanyconnect image disk0:/anyconnect-macosx-i386-4.1.00028-k9.pkg 1anyconnect enabletunnel-group-list enableerror-recovery disablegroup-policy GroupPolicy_myConnectionProfile internalgroup-policy GroupPolicy_myConnectionProfile attributeswins-server nonedns-server value 144.254.254.254vpn-tunnel-protocol ssl-clientdefault-domain value cisco.comgroup-policy IPSecGroupPolicy internalgroup-policy IPSecGroupPolicy attributesvpn-tunnel-protocol ikev1dynamic-access-policy-record DfltAccessPolicyusername omar password Mqv1MU8hcMVRS8Ik encrypted privilege 15username admin password g3POWf.DtBMQRdHc encrypted privilege 15tunnel-group myConnectionProfile type remote-accesstunnel-group myConnectionProfile general-attributesaddress-pool myIPv4Poolauthentication-server-group myRadiusGroupdefault-group-policy GroupPolicy_myConnectionProfiletunnel-group myConnectionProfile webvpn-attributesgroup-alias myConnectionProfile enableip local pool myIPv4Pool 10.10.10.1-10.10.10.254 mask 255.255.255.0
Authentication Problems• Debug = debug webvpn 255
WebVPN: started user authentication...
webvpn_free_auth_struct: net_handle = 0xc839fc30
webvpn_allocate_auth_struct: net_handle = 0xc839fc30
webvpn_free_auth_struct: net_handle = 0xc839fc30
webvpn_auth.c:webvpn_aaa_callback[5107]
WebVPN: AAA status = (ERROR)
WebVPN: callback data is not valid!!
webvpn_remove_auth_handle: auth_handle = 5
WebVPN: calling AAA with ewsContext (-925550560) and nh (-
927982512)!
WebVPN: started user authentication...
WebVPN: AAA status = (ACCEPT)
WebVPN: user: (user1) authenticated.
Good Authentication
Bad Authentication
RADIUS Authentication Problems• Debug = debug radius
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 150).....
01 11 00 96 53 90 89 8e af bc 45 9a cb a8 c1 66 | ....S.....E....f
a7 54 fd f2 01 07 75 73 65 72 31 02 12 07 6f 5c | .T....user1...o\
c4 03 ae cf cc bf df ec 1d 58 0f 31 38 05 06 00 | .........X.18...
00 70 00 1e 11 32 30 39 2e 31 36 35 2e 32 30 30 | .p...209.165.200
2e 32 32 35 1f 11 32 30 39 2e 31 36 35 2e 32 30 | .225..209.165.20
30 2e 32 32 36 3d 06 00 00 00 05 42 11 32 30 39 | 0.226=.....B.209
2e 31 36 35 2e 32 30 30 2e 32 32 36 04 06 0a 0a | .165.200.226....
0a fe 1a 24 00 00 00 09 01 1e 69 70 3a 73 6f 75 | ...$......ip:sou
72 63 65 2d 69 70 3d 32 30 39 2e 31 36 35 2e 32 | rce-ip=209.165.2
30 30 2e 32 32 36 | 00.226
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 17 (0x11)
Radius: Length = 150 (0x0096)
Radius: Vector: 5390898EAFBC459ACBA8C166A754FDF2
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31 | user1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
send pkt 172.18.104.83/1645
RADIUS_SENT:server response timeout
RADIUS_DELETE
remove_req 0xcbeb5d00 session 0x14 id 17
RADIUS Server not Responding
Domain Authentication Problem• Debug = debug ntdomain
smb: negotiate phase failed: syserr = Network is down
Cifs_Connect_Server() returned FALSE, error_code = 18
ntdomain_process_ntinfo - state is NTDOMAIN_DELETE
INFO: Attempting Authentication test to IP address
<172.18.85.123> (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error
Domain Controller Communication Problem
Note: In this Example the Administrator Attempts to Authenticate to the Active Directory Server Using the TEST Utility Within ASDM
Authentication Test Utility
Using the CLI:
test aaa-server authentication NYGroup host 172.18.85.123 user domainuser password 123qweasd
Additional Authentication Debugs
You can combine the debugs listed above with the debug webvpnand debug aaa common when troubleshooting clientless authentication problems.
For Your
Reference
Additional Clientless SSL VPN Debugs• CIFS, NFS, Citrix, JavaScript
Problem Debug Command
Accessing CIFS Shares debug webvpn cifs (1-255)
Accessing NFS Shares debug webvpn nfs (1-255)
Citrix Connection Problems debug webvpn citrix (1-255)
JavaScript Mangling Problems
(user specific)
debug webvpn javascript trace user omar
For Your
Reference
Useful Show Commandsshow vpn-sessiondb
asa# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 12 : 22 : 12 : 0
SSL/TLS/DTLS : 12 : 22 : 12 : 0
---------------------------------------------------------------------------
Total Active and Inactive : 12 Total Cumulative : 22
Device Total VPN Capacity : 25
Device Load : 0%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
AnyConnect-Parent : 12 : 22 : 12
SSL-Tunnel : 12 : 22 : 12
DTLS-Tunnel : 12 : 22 : 12
---------------------------------------------------------------------------
Totals : 12 : 6
Useful Show Commands (cont.)show vpn-sessiondb additional options
asa# show vpn-sessiondb ?
exec mode commands/options:
anyconnect AnyConnect sessions
detail Show detailed output
email-proxy Email-Proxy sessions
full Output formatted for data management programs
index Index of session
l2l IPsec LAN-to-LAN sessions
license-summary Show VPN License summary
ra-ikev1-ipsec IKEv1 IPsec/L2TP-IPsec Remote Access sessions
ratio Show VPN Session protocol or encryption ratios
summary Show VPN Session summary
vpn-lb VPN Load Balancing Mgmt sessions
webvpn WebVPN sessions
| Output modifiers
Dynamic Access PoliciesGranular Control
Who?
How?
What?Where?
• Employee
• Partner
• Customer
• Guest
• Home
• Corporate Premises
• Kiosk
• Branch Office
• Client-Based
• Clientless
• Mobile
• Secured and Unsecured
• Applications
• Data
• Resources
Mobile Posture
• Additional access authorization capabilities based on endpoint
• Cisco ASA 8.4.2+ and 8.2.5+
• Android 2.4.0/3.x and Apple iOS 2.5.0/3.x
• AnyConnect 3.1+
Example of a Pre-Login Assessment• Only configured via ASDM
Configured in a
graphical sequence
to determine whether
the pre-login
assessment results in
the assignment of a
particular policy or a
denied remote access
connection.
DAP AAA Configuration AttributesCisco Proprietary, LDAP and RADIUS
Attribute Type Attribute Name Source Value Max String Length
Description
Cisco aaa.cisco.grouppolicy AAA String 128 Group Policy Name
aaa.cisco.username AAA String 64 Username value
aaa.cisco.ipaddress AAA Number - Framed-ip address value
aaa.cisco.tunnelgroup AAA String 64 Tunnel-group name
LDAP aaa.ldap.<label> LDAP String 128 LDAP attribute value pair
RADIUS aaa.radius.<number> RADIUS String 128 Radius attribute value pair
For Your
Reference
Dynamic Access Policies (DAP) Configuration
• Default action for Default Access Policy is “Continue”
• Add policy with assessments and change Default Policy to include actions for non-complaint end systems or “Terminate”
ASDM
Dynamic Access Policies (DAP) Configuration
The ASA obtains endpoint
security attributes by using
posture assessment
methods. These include
Cisco Secure Desktop and
HostScan
DAP complements the AAA
process and uses AAA
authorization attributes for
policy mapping
Dynamic Access Policies (DAP) Configuration
• After the End point
assessment the action to
assign the user with the
attribute is set
• Assignment of Network ACL
filters, Webtype-ACL filters,
Functions, Access method,
Port Forwarding Lists and URL
Lists is done on the access
policy attribute section
Debugging CSD and DAP
ASA(config)# debug dap trace
The DAP policy contains the following attributes:
-------------------------------------------------
1: action = continue
DAP_open: C9EEE930
DAP_add_CSD: csd_token = [4287F77A4F7347A553F4619C]
[ 0]: aaa.cisco.username = user2
[ 1]: aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
dap_add_to_lua_tree:aaa["cisco"]["username"] = "user2";
dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";
dap_clienttype_to_string(3) returns CLIENTLESS
dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "CLIENTLESS";
dap_add_csd_data_to_lua:
endpoint.os.version = "Windows XP";
endpoint.os.servicepack = "2";
endpoint.location = "Default";
endpoint.protection = "secure desktop";
endpoint.fw["MSWindowsFW"] = {};
endpoint.fw["MSWindowsFW"].exists = "true”;
Debugging CSD and DAPContinuation of the “debug dap trace” output…
endpoint.fw["MSWindowsFW"].description = "Microsoft Windows Firewall";
endpoint.fw["MSWindowsFW"].enabled = "true";
endpoint.av["McAfeeAV"] = {};
endpoint.av["McAfeeAV"].exists = "true";
endpoint.av["McAfeeAV"].description = "McAfee VirusScan Enterprise";
endpoint.av["McAfeeAV"].version = “9.8.0";
endpoint.av["McAfeeAV"].activescan = "true";
endpoint.av["McAfeeAV"].lastupdate = "132895";
endpoint.as["SpyBot"] = {};
endpoint.as["SpyBot"].exists = "true";
endpoint.as["SpyBot"].description = "Spybot - Search & Destroy 1.4";
endpoint.as["SpyBot"].version = "1.4";
endpoint.as["SpyBot"].activescan = "false";
endpoint.as["SpyBot"].lastupdate = "996895";
endpoint.enforce = "success";
Selected DAPs: McAfee-7,SpyBot
dap_request: memory usage = 19%
dap_process_selected_daps: selected 3 records
dap_aggregate_attr: rec_count = 3
DAP_close: C9EEE930
Problem Summary
User calls your VPN support staff and complains that his AnyConnect VPN
connection “is not working”!
What can you
do to
troubleshoot?
Debug and Show Command ToolkitFirst, let’s take a look at some debugs you can use.
show vpn-sessiondb anyconnect filter p-ipaddress
100.1.1.1
debug webvpn anyconnect
debug aaa common
debug webvpn anyconnect 255…good authentication
ciscoasa# webvpn_rx_data_tunnel_connect
CSTP state = HEADER_PROCESSING
http_parse_cstp_method()
...input: 'CONNECT /CSCOSSLC/tunnel HTTP/1.1'
webvpn_cstp_parse_request_field()
...input: 'Host: 209.165.200.225'
Processing CSTP header line: 'Host: 209.165.200.225'
webvpn_cstp_parse_request_field()
...input: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629'
Processing CSTP header line: 'User-Agent: Cisco AnyConnect VPN Agent for Windows 3.0.0629'
Setting user-agent to: 'Cisco AnyConnect VPN Agent for Windows 3.0.0629'
…<output omited>
Validating address: 0.0.0.0
CSTP state = WAIT_FOR_ADDRESS
webvpn_cstp_accept_address: 10.10.20.1/255.255.255.0
webvpn_cstp_accept_ipv6_address: No IPv6 Address
CSTP state = HAVE_ADDRESS
…<output omited>
SVC: adding to sessmgmt
SVC: Sending response
Sending X-CSTP-FW-RULE msgs: Start
Sending X-CSTP-FW-RULE msgs: Done
Sending X-CSTP-Quarantine: false
Sending X-CSTP-Disable-Always-On-VPN: false
vpn_put_uauth success!
CSTP state = CONNECTED0
debug aaa common…bad communication to the server
radius mkreq: 0x19
alloc_rip 0xcbeb5d00
new request 0x19 --> 20 (0xcbeb5d00)
got user 'user1'
got password
add_req 0xcbeb5d00 session 0x19 id 20
RADIUS_REQUEST
radius.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Raw packet data (length = 63).....
01 14 00 3f b2 03 80 b9 fe 5f ac 75 0a 7b 98 f1 | ...?....._.u.{..
d6 57 44 2d 01 07 75 73 65 72 31 02 12 5e 31 87 | .WD-..user1..^1.
3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 04 06 0a | =.........L.x...
0a 0a fe 05 06 00 00 00 02 3d 06 00 00 00 05 | .........=.....
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 20 (0x14)
Radius: Length = 63 (0x003F)
Radius: Vector: B20380B9FE5FAC750A7B98F1D657442D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31 | user1
Radius: Type = 2 (0x02) User-Password
CONTINUED IN THE NEXT SLIDE
debug aaa common…bad communication to the server
…CONTINUED FROM THE PREVIOUS SLIDE
Radius: Length = 18 (0x12)
Radius: Value (String) =
5e 31 87 3d df 87 88 85 d9 b0 19 ef 97 4c 0e 78 | ^1.=.........L.x
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.10.10.254 (0x0A0A0AFE)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.18.104.83/1645
RADIUS_SENT:server response timeout
callback_aaa_task: status = -2, msg =
RADIUS_DELETE
remove_req 0xcbeb5d00 session 0x19 id 20
free_rip 0xcbeb5d00
radius: send queue empty
First Problem Fixed…but the user still cannot connect
• We fixed the previous problem. The Cisco ASA had the wrong IP address for the AAA server.
• The correct IP address is 172.18.118.206 not 172.18.104.83.
• However, authentication still not successful. What’s the problem?
<output omitted for brevity>
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
send pkt 172.18.118.206/1645
fail request 0x1c (172.18.118.206 failed)
callback_aaa_task: status = -2, msg =
RADIUS_DELETE
remove_req 0xcbeb5d00 session 0x1c id 23
free_rip 0xcbeb5d00
radius: send queue empty
What was the Problem?
The problem was that the AAA server didn’t have the correct NAS (AAA Client address) for the ASA. It had 10.10.10.54 instead of 10.10.10.254
You can also use the show aaa-server command to view statistics on
AAA transactions asa# show aaa-server my-radius
Server Group: my-radius
Server Protocol: radius
Server Address: 172.18.118.206
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 11:49:09 UTC Fri Jun 1 2012
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 11
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1
Number of rejects 5
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 5
Number of unrecognized responses 0
Problem Summary
User is able to authenticate…but cannot pass traffic….
What can you do
to troubleshoot?
Internal Routing Problem• Routing Behind the ASA
Internetoutside inside
Client
(AnyConnect)
VPN Pool:
10.10.20.0/24
.254
Corporate
Network
Where is 10.10.20.x?
The internal router must have a route for the VPN IP Address Pool (10.10.20.0/24)
Bypass Interface ACLs
You can require an access rule to apply to the local
IP addresses by unchecking this check box. The
access rule applies to the assigned IP address, and
not to the original client IP address used before
the VPN packet was decrypted.
ciscoasa# show run sysopt
no sysopt connection permit-vpn
Split Tunneling Introduction
Split tunneling lets you specify that certain data
traffic is encrypted, while the remainder is sent
in the clear (unencrypted).
Split-tunneling network lists distinguish
networks that require traffic to go through the
tunnel from those that do not require tunneling.
The ASA makes split-tunneling decisions
based on a network list, which is an ACL
consisting of a list of addresses on the private
network.
Troubleshooting Split Tunneling
Step 1: Ask your user to go to Route Details and check if the split tunneling list/routes are there…
Troubleshooting Split Tunneling …continued
Step 2. If your user’s client does not have the correct routes, check that your ASA has the
correct access lists for split tunneling for the group the user is connecting.
Step 3. Enable debug webvpn svc <1-255> and look for the following messages:
SVC ACL Name: NULL
SVC ACL ID: -1
SVC ACL ID: -1
If you see those messages, the split tunneling information is NOT being sent to the client.
Cisco Network Access Manager
• Enterprise-focused connection management
• Wired (802.3) and wireless (802.11) connectivity through a single authentication framework
• Layer-2 user and device authentication:
• 802.1X, 802.1X-REV (wired key establishment)
• 802.1AE(MACsec: wired encryption)
• Support for numerous EAP types
• 802.11i (Robust Security Network)
• Supports for both admin (office) and user (home) network configurations
NAM Features and Support
• Supports these main features:
• Wired (IEEE 802.3) and wireless (IEEE 802.11) network adapters
• Pre-login authentication using Windows machine credentials
• Single sign-on user authentication using Windows logon credentials
• Simplified and easy-to-use IEEE 802.1X configuration
• IEEE MACsec wired encryption and enterprise policy control
• EAP methods: EAP-FAST, PEAP, EAP-TTLS, EAP-TLS, and LEAP (EAP-MD5, EAP-GTC, and EAP-MSCHAPv2 for IEEE 802.3 wired only)
IPSec IKEv2 Support (cont.)
Some AnyConnect features require a parallel SSL connection:
• CSD HostScan
• Profile updates
• Language/Customization
• Application upgrades
• SCEP
IPSec IKEv2 Support
IKEv2 support uses Cisco’s IKEv2 implementation:
• IKEv2 toolkit is common in client, ASA and IOS
• Standards-based implementation
• Includes a few extensions (fragmentation, redirect)
• Same authentication methods supported previously with SSL VPN
• Uses proprietary EAP method (AnyConnect EAP)
Not Supported in IKEv2
• Windows 7 IKEv2 client or any other 3rd-party IKEv2 client
• HW client support for IKEv2 (5505 as a head-end using IKEv2 is supported)
• Pre-shared-key authentication for client or server
• IKEv2 encryption for load-balancing link to other ASAs
• cTCP, L2TP
• Re-authentication
• Peer ID check
• Compression/IPcomp
• NAC
• 3rd party firewall configuration
New IKEv2 Configuration Commands
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trust-point my-ikev2-trustpoint
crypto ikev2 enable outside
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-sa 100
ikev2 remote-authentication certificate my-ikev2-trustpoint
More Configuration Tips and Examples at:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_ike.html
IKEv2 Debug Commands…debugs specific for IKEv2
Debugs ASA processing of IKEv2, not protocol specific exchanges.
This debug is useful for AAA and session management issues. Also to troubleshoot
the ASA cryptographic module performing encryption and decryption.
debug crypto ikev2 platform
Debugs IKEv2 protocol specific exchanges.
debug crypto ikev2 protocol
Debugs IKEv2 timer expiration. Useful when clients are complaining that their
connection is being timed-out too often.
debug crypto ikev2 timer
Note: debug crypto ike-common can be used for both IKEv1 and IKEv2
AnyConnect Diagnostics and Reporting Tool…useful for troubleshooting AnyConnect installation and connection problems
1
To Launch DART go to
the Status Overview
Tab and click on
Diagnostics…
DART Wizard
Under Bundle Creation Option, select Default or Custom. The Default option includes the typical log files and
diagnostic information. DARTBundle.zip is saved to the local desktop. If you choose Custom, the DART wizard
allows you to specify where and what files want to include in the bundle.
2 3
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle @santosomar
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions