Cisco Cisco AnyConnect Secure Mobility Client v4.x
Interoperability between Network Access Manager and other Connection Managers
When the Network Access Manager operates, it takes exclusive control over the network adapters and blocks attempts by other
software connection managers (including the Windows native connection manager) to establish connections. Therefore, if you want
AnyConnect users to use other connection managers on their endpoint computers (such as iPassConnect Mobility Manager), they
must disable Network Access Manager either through the Disable Client option in the Network Access Manager GUI, or by stopping
the Network Access Manager service.
software connection managers (including the Windows native connection manager) to establish connections. Therefore, if you want
AnyConnect users to use other connection managers on their endpoint computers (such as iPassConnect Mobility Manager), they
must disable Network Access Manager either through the Disable Client option in the Network Access Manager GUI, or by stopping
the Network Access Manager service.
Network Interface Card Drivers Incompatible with Network Access Manager
The Intel wireless network interface card driver, version 12.4.4.5, is incompatible with Network Access Manager. If this driver is
installed on the same endpoint as the Network Access Manager, it can cause inconsistent network connectivity and an abrupt shutdown
of the Windows operating system.
installed on the same endpoint as the Network Access Manager, it can cause inconsistent network connectivity and an abrupt shutdown
of the Windows operating system.
Avoiding SHA 2 Certificate Validation Failure (CSCtn59317)
The AnyConnect client relies on the Windows Cryptographic Service Provider (CSP) of the certificate for hashing and signing of
data required during the IKEv2 authentication phase of the IPsec/IKEv2 VPN connection. If the CSP does not support SHA 2
algorithms, and the ASA is configured for the pseudo-random function (PRF) SHA256, SHA384, or SHA512, and the connection
profile (tunnel-group) is configured for certificate or certificate and AAA authentication, certificate authentication fails. The user
receives the message Certificate Validation Failure.
data required during the IKEv2 authentication phase of the IPsec/IKEv2 VPN connection. If the CSP does not support SHA 2
algorithms, and the ASA is configured for the pseudo-random function (PRF) SHA256, SHA384, or SHA512, and the connection
profile (tunnel-group) is configured for certificate or certificate and AAA authentication, certificate authentication fails. The user
receives the message Certificate Validation Failure.
This failure occurs for Windows only, for certificates that belong to CSPs that do not support SHA 2-type algorithms. Other supported
OSs do not experience this problem.
OSs do not experience this problem.
To avoid this problem you can configure the PRF in the IKEv2 policy on the ASA to md5 or sha (SHA 1). Alternatively, you can
modify the certificate CSP value to native CSPs that work such as Microsoft Enhanced RSA and AES Cryptographic Provider. Do
not apply this workaround to SmartCards certificates. You cannot change the CSP names. Instead, contact the SmartCard provider
for an updated CSP that supports SHA 2 algorithms.
modify the certificate CSP value to native CSPs that work such as Microsoft Enhanced RSA and AES Cryptographic Provider. Do
not apply this workaround to SmartCards certificates. You cannot change the CSP names. Instead, contact the SmartCard provider
for an updated CSP that supports SHA 2 algorithms.
Performing the following workaround actions could corrupt the user certificate if you perform them
incorrectly. Use extra caution when specifying changes to the certificate.
incorrectly. Use extra caution when specifying changes to the certificate.
Caution
You can use the Microsoft Certutil.exe utility to modify the certificate CSP values. Certutil is a command-line utility for managing
a Windows CA, and is available in the Microsoft Windows Server 2003 Administration Tools Pack. You can download the Tools
Pack at this URL:
a Windows CA, and is available in the Microsoft Windows Server 2003 Administration Tools Pack. You can download the Tools
Pack at this URL:
Follow this procedure to run Certutil.exe and change the Certificate CSP values:
1
Open a command window on the endpoint computer.
2
View the certificates in the user store along with their current CSP value using the following command:certutil -store -user My
The following example shows the certificate contents displayed by this command:
================ Certificate 0 ================
Serial Number: 3b3be91200020000854b
Issuer: CN=cert-issuer, OU=Boston Sales, O=Example Company, L=San Jose,
S=CA, C=US, E=csmith@example.com
NotBefore: 2/16/2011 10:18 AM
NotAfter: 5/20/2024 8:34 AM
Subject: CN=Carol Smith, OU=Sales Department, O=Example Company, L=San Jose, S=C
A, C=US, E=csmith@example.com
Serial Number: 3b3be91200020000854b
Issuer: CN=cert-issuer, OU=Boston Sales, O=Example Company, L=San Jose,
S=CA, C=US, E=csmith@example.com
NotBefore: 2/16/2011 10:18 AM
NotAfter: 5/20/2024 8:34 AM
Subject: CN=Carol Smith, OU=Sales Department, O=Example Company, L=San Jose, S=C
A, C=US, E=csmith@example.com
22