Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
5
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.0
Java 7 Issues
Note
If you are upgrading from the legacy Cisco VPN client, you should restore the MTU on your
physical adapters back to the default (1500). (With IPv6, the interface MTU must be at least
1374.) Use the SetMTU utility that comes with the legacy Cisco VPN clients to restore the
default value and reboot for the change to take effect. Some customers reduced their physical
LAN and wireless adapter MTU settings to 1300 with legacy Cisco VPN clients, and this
negatively impacts the tunneling performance of AnyConnect.
physical adapters back to the default (1500). (With IPv6, the interface MTU must be at least
1374.) Use the SetMTU utility that comes with the legacy Cisco VPN clients to restore the
default value and reboot for the change to take effect. Some customers reduced their physical
LAN and wireless adapter MTU settings to 1300 with legacy Cisco VPN clients, and this
negatively impacts the tunneling performance of AnyConnect.
Every release of AnyConnect includes a localization MST file that administrators can upload to the ASA
whenever they upload AnyConnect packages with new software. If you are using our localization MST
files, make sure to update them with the latest release from CCO whenever you upload a new
AnyConnect package.
whenever they upload AnyConnect packages with new software. If you are using our localization MST
files, make sure to update them with the latest release from CCO whenever you upload a new
AnyConnect package.
Note
Upgrading from AnyConnect 2.2 is not supported using the ASA or Weblaunch. You must uninstall
AnyConnect 2.2 then install AnyConnect 3.1 either manually or using an SMS.
AnyConnect 2.2 then install AnyConnect 3.1 either manually or using an SMS.
Java 7 Issues
Java 7 causes problems with Clienless SSL VPN (WebVPN). A description of the issues and
workarounds is provide in the Troubleshooting Technote
workarounds is provide in the Troubleshooting Technote
, which in Cisco documentation under Security > Cisco Hostscan.
Important Security Considerations
Enable Strict Certificate Trust in the AnyConnect Local Policy
We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following
reasons:
reasons:
•
With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps
prevent “man in the middle” attacks when users are connecting from untrusted networks such as
those in coffee shops and airports.
prevent “man in the middle” attacks when users are connecting from untrusted networks such as
those in coffee shops and airports.
•
Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows
end users to accept unverifiable certificates. If your end users were subjected to a man-in-the-middle
attack, they may be prompted to accept a malicious certificate. To remove this decision from your
end users, enable Strict Certificate Trust.
end users to accept unverifiable certificates. If your end users were subjected to a man-in-the-middle
attack, they may be prompted to accept a malicious certificate. To remove this decision from your
end users, enable Strict Certificate Trust.
To configure Strict Certificate Trust see,
in Chapter 8, “Enabling FIPS and Additional Security in the Local Policy” of the Cisco AnyConnect
Secure Mobility Client Administrator Guide, Release 3.0.
Changes to Server Certificate Verification
The following behavioral changes are being made to server certificate verification: