Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
Microsoft Internet Explorer Proxy Not Supported by IKEv2
IKEv2 does not support the public-side Microsoft Internet Explorer proxy. If you need support for that feature,
use SSL. Private-side proxies are supported by both IKEv2 and SSL as dictated by the configuration sent
from the secure gateway. IKEv2 applies the proxy configuration sent from the gateway, and subsequent HTTP
traffic is subject to that proxy configuration.
use SSL. Private-side proxies are supported by both IKEv2 and SSL as dictated by the configuration sent
from the secure gateway. IKEv2 applies the proxy configuration sent from the gateway, and subsequent HTTP
traffic is subject to that proxy configuration.
MTU Adjustment on Group Policy May Be Required for IKEv2
AnyConnect sometimes receives and drops packet fragments with some routers, resulting in a failure of some
web traffic to pass.
web traffic to pass.
To avoid this, lower the value of the MTU. We recommend 1200. The following example shows how to do
this using CLI:
this using CLI:
hostname# config t
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect mtu 1200
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect mtu 1200
To set the MTU using ASDM, go to Configuration > Network (Client) Access > Group Policies > Add or
Edit > Advanced > SSL VPN Client.
Edit > Advanced > SSL VPN Client.
MTU Automatically Adjusted When Using DTLS
If Dead Peer Detection (DPD) is enabled for DTLS, the client automatically determines the path MTU. If you
previously reduced the MTU using the ASA, you should restore the setting to the default (1406). During
tunnel establishment, the client auto-tunes the MTU using special DPD packets. If you still have a problem,
use the MTU configuration on the ASA to restrict the MTU as before.
previously reduced the MTU using the ASA, you should restore the setting to the default (1406). During
tunnel establishment, the client auto-tunes the MTU using special DPD packets. If you still have a problem,
use the MTU configuration on the ASA to restrict the MTU as before.
Network Access Manager and Group Policy
Windows Active Directory Wireless Group Policies manage the wireless settings and any wireless networks
that are deployed to PCs in a specific Active Directory Domain. When installing the Network Access Manager,
administrators must be aware that certain wireless Group Policy Objects (GPOs) can affect the behavior of
the Network Access Manager. Administrators should test the GPO policy settings with the Network Access
Manager before doing full GPO deployment. The following GPO conditions may prevent the Network Access
Manager from operating as expected :
that are deployed to PCs in a specific Active Directory Domain. When installing the Network Access Manager,
administrators must be aware that certain wireless Group Policy Objects (GPOs) can affect the behavior of
the Network Access Manager. Administrators should test the GPO policy settings with the Network Access
Manager before doing full GPO deployment. The following GPO conditions may prevent the Network Access
Manager from operating as expected :
• When using the Windows 7 or later,Only use Group Policy profiles for allowed networks option.
FreeRADIUS Configuration to Work With Network Access Manager
To use Network Access Manager, you may need to adjust the FreeRADIUS configuration. Any ECDH related
ciphers are disabled by default to prevent vulnerability. In /etc/raddb/eap.conf, change the cipher_list value.
ciphers are disabled by default to prevent vulnerability. In /etc/raddb/eap.conf, change the cipher_list value.
Full Authentication Required if Roaming between Access Points
A mobile endpoint running Windows 7 or later must do a full EAP authentication instead of leveraging the
quicker PMKID reassociation when the client roams between access points on the same network. Consequently,
quicker PMKID reassociation when the client roams between access points on the same network. Consequently,
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.3
23
Release Notes for AnyConnect Secure Mobility Client, Release 4.3
Microsoft Internet Explorer Proxy Not Supported by IKEv2