Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
We do not support running AnyConnect in virtual environments; however, we expect AnyConnect to function
properly in the VMWare environments we test in.
properly in the VMWare environments we test in.
If you encounter any issues with AnyConnect in your virtual environment, report them. We will make our
best effort to resolve them.
best effort to resolve them.
UTF-8 Character Support for AnyConnect Passwords
AnyConnect 3.0 or later used with ASA 8.4(1) or later supports UTF-8 characters in passwords sent using
RADIUS/MSCHAP and LDAP protocols.
RADIUS/MSCHAP and LDAP protocols.
Disabling Auto Update May Prevent Connectivity Due to a Version Conflict
When Auto Update is disabled for a client running AnyConnect, the ASA must have the same version of
AnyConnect or earlier installed, or the client will fail to connect to the VPN.
AnyConnect or earlier installed, or the client will fail to connect to the VPN.
To avoid this problem, configure the same version or earlier AnyConnect package on the ASA, or upgrade
the client to the new version by enabling Auto Update.
the client to the new version by enabling Auto Update.
Interoperability between Network Access Manager and other Connection Managers
When the Network Access Manager operates, it takes exclusive control over the network adapters and blocks
attempts by other software connection managers (including the Windows native connection manager) to
establish connections. Therefore, if you want AnyConnect users to use other connection managers on their
endpoint computers (such as iPassConnect Mobility Manager), they must disable Network Access Manager
either through the Disable Client option in the Network Access Manager GUI, or by stopping the Network
Access Manager service.
attempts by other software connection managers (including the Windows native connection manager) to
establish connections. Therefore, if you want AnyConnect users to use other connection managers on their
endpoint computers (such as iPassConnect Mobility Manager), they must disable Network Access Manager
either through the Disable Client option in the Network Access Manager GUI, or by stopping the Network
Access Manager service.
Network Interface Card Drivers Incompatible with Network Access Manager
The Intel wireless network interface card driver, version 12.4.4.5, is incompatible with Network Access
Manager. If this driver is installed on the same endpoint as the Network Access Manager, it can cause
inconsistent network connectivity and an abrupt shutdown of the Windows operating system.
Manager. If this driver is installed on the same endpoint as the Network Access Manager, it can cause
inconsistent network connectivity and an abrupt shutdown of the Windows operating system.
Avoiding SHA 2 Certificate Validation Failure (CSCtn59317)
The AnyConnect client relies on the Windows Cryptographic Service Provider (CSP) of the certificate for
hashing and signing of data required during the IKEv2 authentication phase of the IPsec/IKEv2 VPN connection.
If the CSP does not support SHA 2 algorithms, and the ASA is configured for the pseudo-random function
(PRF) SHA256, SHA384, or SHA512, and the connection profile (tunnel-group) is configured for certificate
or certificate and AAA authentication, certificate authentication fails. The user receives the message Certificate
Validation Failure.
hashing and signing of data required during the IKEv2 authentication phase of the IPsec/IKEv2 VPN connection.
If the CSP does not support SHA 2 algorithms, and the ASA is configured for the pseudo-random function
(PRF) SHA256, SHA384, or SHA512, and the connection profile (tunnel-group) is configured for certificate
or certificate and AAA authentication, certificate authentication fails. The user receives the message Certificate
Validation Failure.
This failure occurs for Windows only, for certificates that belong to CSPs that do not support SHA 2-type
algorithms. Other supported OSs do not experience this problem.
algorithms. Other supported OSs do not experience this problem.
To avoid this problem you can configure the PRF in the IKEv2 policy on the ASA to md5 or sha (SHA 1).
Alternatively, you can modify the certificate CSP value to native CSPs that work such as Microsoft Enhanced
RSA and AES Cryptographic Provider. Do not apply this workaround to SmartCards certificates. You cannot
change the CSP names. Instead, contact the SmartCard provider for an updated CSP that supports SHA 2
algorithms.
Alternatively, you can modify the certificate CSP value to native CSPs that work such as Microsoft Enhanced
RSA and AES Cryptographic Provider. Do not apply this workaround to SmartCards certificates. You cannot
change the CSP names. Instead, contact the SmartCard provider for an updated CSP that supports SHA 2
algorithms.
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.3
21
Release Notes for AnyConnect Secure Mobility Client, Release 4.3
UTF-8 Character Support for AnyConnect Passwords