Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
Guidelines and Limitations
Win32 Limitation With Connected Standby
Because AnyConnect is a Win32 (not a Windows store) application, we have limitations with Microsoft regarding privileges; therefore,
AnyConnect cannot provide access to the Connected Standby (suspend and resume events) status in Windows 8 and later.
AnyConnect cannot provide access to the Connected Standby (suspend and resume events) status in Windows 8 and later.
No ISE Posture Remediation from Symantec AV 12.1.X
Because of architectural changes in Symantec products, ISE posture cannot support remediation from Symantec AV 12.1.x and
onwards.
onwards.
Microsoft Phasing out SHA-1 Support
A secure gateway with a SHA-1 certificate or a certificate with SHA-1 intermediate certificates may no longer be considered valid
by a Windows Internet Explorer 11 / Edge browser or a Windows AnyConnect endpoint until February 14, 2017. After February 14,
2017, Windows endpoints may no longer consider a secure gateway with a SHA-1 certificate or intermediate certificate as trusted.
We highly recommend that your secure gateway does not have a SHA-1 identity certificate and that any intermediate certificates are
not SHA-1.
by a Windows Internet Explorer 11 / Edge browser or a Windows AnyConnect endpoint until February 14, 2017. After February 14,
2017, Windows endpoints may no longer consider a secure gateway with a SHA-1 certificate or intermediate certificate as trusted.
We highly recommend that your secure gateway does not have a SHA-1 identity certificate and that any intermediate certificates are
not SHA-1.
Microsoft has made modifications to their original plan of record and timing. They have published details for how to
. Cisco is not able to make any guarantees of correct AnyConnect
operation for customers with SHA-1 secure gateway or intermediate certificates or running old versions of AnyConnect.
Cisco highly recommends that customers stay up to date with the current maintenance release of AnyConnect in order to ensure that
they have all available fixes in place. The most up-to-date version of AnyConnect 4.x and beyond are available
they have all available fixes in place. The most up-to-date version of AnyConnect 4.x and beyond are available
for customers with active AnyConnect Plus, Apex, and VPN Only terms/contracts.
and should no longer be used for any deployments.
Cisco has validated that AnyConnect 4.3 and 4.4 (and beyond) releases will continue to operate correctly
as Microsoft further phases out SHA-1. Long term, Microsoft intends to distrust SHA-1 throughout Windws
in all contexts, but their current advisory does not provide any specifics or timing on this. Depending on
the exact date of that deprecation, many earlier versions of AnyConnect may no longer operate at any
time. Refer to
as Microsoft further phases out SHA-1. Long term, Microsoft intends to distrust SHA-1 throughout Windws
in all contexts, but their current advisory does not provide any specifics or timing on this. Depending on
the exact date of that deprecation, many earlier versions of AnyConnect may no longer operate at any
time. Refer to
for further information.
Note
Authentication Failure When Using a SHA512 Certificate for Authentication
(For Windows 7, 8, and 8.1 users) When the client uses a SHA512 certificate for authentication, authentication fails, even though
the client logs show that the certificate is being used. The ASA logs correctly show that no certificate was sent by AnyConnect. These
versions of Windows require that you enable support for SHA512 certificates in TLS 1.2, which is not supported by default. Refer
to
the client logs show that the certificate is being used. The ASA logs correctly show that no certificate was sent by AnyConnect. These
versions of Windows require that you enable support for SHA512 certificates in TLS 1.2, which is not supported by default. Refer
to
for information on enabling support for these SHA512 certificates.
No Longer Supporting RC4 TLS Cipher Suite
RC4 TLS cipher suites are not supported from AnyConnect release 4.2.01035 and onwards due to security policy enhancements.
16