Cisco Cisco AnyConnect Secure Mobility Client v4.x
AnyConnect Support Policy
Cisco only provides fixes and enhancements based on the most recent 4.x release. TAC support is available
to any customer with an active AnyConnect 4.x term/contract running a released version of AnyConnect 4.x.
If you experience a problem with an out-of-date software version, you may be asked to validate whether the
current maintenance release resolves your issue.
to any customer with an active AnyConnect 4.x term/contract running a released version of AnyConnect 4.x.
If you experience a problem with an out-of-date software version, you may be asked to validate whether the
current maintenance release resolves your issue.
Software Center access is limited to AnyConnect 4.x versions with current fixes. We recommend that you
download all images for your deployment, as we cannot guarantee that the version you are looking to deploy
will still be available for download at a future date.
download all images for your deployment, as we cannot guarantee that the version you are looking to deploy
will still be available for download at a future date.
Guidelines and Limitations
New Split Include Tunnel Behavior (CSCum90946)
Formerly, if a split-include network was a Supernet of a Local Subnet, the local subnet traffic was not tunneled
unless a split-include network that exactly matches the Local Subnet was configured. With the resolution of
CSCum90946, when a split-include network is a Supernet of a Local Subnet, the Local Subnet traffic is
tunneled, unless a split-include (deny 0.0.0.0/32 or ::/128) is also configured in the access-list (ACE/ACL).
unless a split-include network that exactly matches the Local Subnet was configured. With the resolution of
CSCum90946, when a split-include network is a Supernet of a Local Subnet, the Local Subnet traffic is
tunneled, unless a split-include (deny 0.0.0.0/32 or ::/128) is also configured in the access-list (ACE/ACL).
The new behavior requires the following configurations when a Supernet is configured in the split-include
and the desired behavior is to allow LocalLan access:
and the desired behavior is to allow LocalLan access:
• access-list (ACE/ACL) must include both a permit action for the Supernet and a deny action for 0.0.0.0/32
or ::/128.
• Enable Local LAN Access in the AnyConnect profile (in the Preferences Part 1 menu of the profile
editor. (You also have the option to make it user controllable.)
Microsoft Phasing out SHA-1 Support
A secure gateway with a SHA-1 certificate or a certificate with SHA-1 intermediate certificates may no longer
be considered valid by a Windows Internet Explorer 11 / Edge browser or a Windows AnyConnect endpoint
until February 14, 2017. After February 14, 2017, Windows endpoints may no longer consider a secure gateway
with a SHA-1 certificate or intermediate certificate as trusted. We highly recommend that your secure gateway
does not have a SHA-1 identity certificate and that any intermediate certificates are not SHA-1.
be considered valid by a Windows Internet Explorer 11 / Edge browser or a Windows AnyConnect endpoint
until February 14, 2017. After February 14, 2017, Windows endpoints may no longer consider a secure gateway
with a SHA-1 certificate or intermediate certificate as trusted. We highly recommend that your secure gateway
does not have a SHA-1 identity certificate and that any intermediate certificates are not SHA-1.
Microsoft has made modifications to their original plan of record and timing. They have published details for
how to
how to
. Cisco is not able to
make any guarantees of correct AnyConnect operation for customers with SHA-1 secure gateway or intermediate
certificates or running old versions of AnyConnect.
certificates or running old versions of AnyConnect.
Cisco highly recommends that customers stay up to date with the current maintenance release of AnyConnect
in order to ensure that they have all available fixes in place. The most up-to-date version of AnyConnect 4.x
and beyond are available
in order to ensure that they have all available fixes in place. The most up-to-date version of AnyConnect 4.x
and beyond are available
for customers with active AnyConnect Plus, Apex, and
VPN Only terms/contracts.
and should no longer
be used for any deployments.
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.3
15
Release Notes for AnyConnect Secure Mobility Client, Release 4.3
AnyConnect Support Policy