Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
Non-root Certificate
Template:
Cert Hash(sha1): 86 27 37 1b e6 77 5f aa 8e ad e6 20 a3 14 73 b4 ee 7f 89 26
Template:
Cert Hash(sha1): 86 27 37 1b e6 77 5f aa 8e ad e6 20 a3 14 73 b4 ee 7f 89 26
Key Container = {F62E9BE8-B32F-4700-9199-67CCC86455FB}
Unique container name: 46ab1403b52c6305cb226edd5276360f_c50140b9-ffef-4600-ada
Unique container name: 46ab1403b52c6305cb226edd5276360f_c50140b9-ffef-4600-ada
6-d09eb97a30f1
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
Signature test passed
3
Identify the <CN> attribute in the certificate. In the example, the CN is Carol Smith. You need this information for the next step.
4
Modify the certificate CSP using the following command. The example below uses the subject <CN> value to select the certificate
to modify. You can also use other attributes.
to modify. You can also use other attributes.
On Windows 7 or later, use this command: certutil -csp "Microsoft Enhanced RSA and AES Cryptographic Provider" -f -repairstore
-user My <CN> carol smith
-user My <CN> carol smith
5
Repeat step 2 and verify the new CSP value appears for the certificate.
Configuring Antivirus Applications for Host Scan
Antivirus applications can misinterpret the behavior of some of the applications included in the posture module and the Host Scan
package as malicious. Before installing the posture module or Host Scan package, configure your antivirus software to “white-list”
or make security exceptions for these Host Scan applications:
package as malicious. Before installing the posture module or Host Scan package, configure your antivirus software to “white-list”
or make security exceptions for these Host Scan applications:
• cscan.exe
• ciscod.exe
• cstub.exe
Microsoft Internet Explorer Proxy Not Supported by IKEv2
IKEv2 does not support the public-side Microsoft Internet Explorer proxy. If you need support for that feature, use SSL. Private-side
proxies are supported by both IKEv2 and SSL as dictated by the configuration sent from the secure gateway. IKEv2 applies the proxy
configuration sent from the gateway, and subsequent HTTP traffic is subject to that proxy configuration.
proxies are supported by both IKEv2 and SSL as dictated by the configuration sent from the secure gateway. IKEv2 applies the proxy
configuration sent from the gateway, and subsequent HTTP traffic is subject to that proxy configuration.
MTU Adjustment on Group Policy May Be Required for IKEv2
AnyConnect sometimes receives and drops packet fragments with some routers, resulting in a failure of some web traffic to pass.
To avoid this, lower the value of the MTU. We recommend 1200. The following example shows how to do this using CLI:
hostname# config t
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect mtu 1200
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect mtu 1200
To set the MTU using ASDM, go to Configuration > Network (Client) Access > Group Policies > Add or Edit > Advanced >
SSL VPN Client.
SSL VPN Client.
MTU Automatically Adjusted When Using DTLS
If Dead Peer Detection (DPD) is enabled for DTLS, the client automatically determines the path MTU. If you previously reduced
the MTU using the ASA, you should restore the setting to the default (1406). During tunnel establishment, the client auto-tunes the
MTU using special DPD packets. If you still have a problem, use the MTU configuration on the ASA to restrict the MTU as before.
the MTU using the ASA, you should restore the setting to the default (1406). During tunnel establishment, the client auto-tunes the
MTU using special DPD packets. If you still have a problem, use the MTU configuration on the ASA to restrict the MTU as before.
23