Cisco Anyconnect 3.1 Download



As part of its ongoing cybersecurity strategy, The Division of Information Technology has implemented a mandatory two-factor authentication for the Enterprise Virtual Private Network (VPN)

What is two-factor authentication?

Dec 18, 2013 AnyConnect Client Release 3.0 or Release 3.1; Symptoms. In this example, the AnyConnect client is shown as it reconnects to the ASA. This syslog is seen on the ASA:%ASA-6-722036: Group User IP Transmitting large packet 1418 (threshold 1347). Problem Description. This article refers to the Cisco AnyConnect VPN.If you're looking for information on the Prisma Access VPN Beta that uses the GobalConnect app, see: istcontrib:Prisma Access VPN Beta Landing Page. Anyconnect Win 3.1.02026 Web Deploy K 9 by Cisco. Cisco AnyConnect Addeddate 2018-12-18 18:39:05 Identifier AnyconnectWin3.1.02026WebDeployK94.

To increase security measures on your account, two-factor authentication requires two steps to log in. The first step is using something you know (i.e., your password), and the second step is something you have (i.e., cell phone) to securely verify your identity.

What is required to use the VPN?
  • Enroll your phone for two-factor
  • Cisco AnyConnect client

AnyConnect

FIU implements the AnyConnect VPN client to allow FIU users to connect on and off campus to the FIU network through a Secure Socket Layer (SSL) protocol.

  • Supported Operating Systems
  • System Requirements
  • AnyConnect Clients
  • Installing the AnyConnect

Supported Operating Systems

Microsoft Windows

  • Windows 10 (32-bit and 64-bit)
  • Windows 8, 8.1 (32-bit and 64-bit)
  • Windows 7 (32-bit and 64-bit)

MAC OS X

  • Mac OS X 10.11, 10.12, 10.13, 10.14 x86 (32-bit) or x64 (64-bit)
  • Mac OS X versions 10.10 and lower are no longer supported

Linux

  • Linux
  • Red Hat Enterprise Linux 6.x and 7.x (64-bit)
  • Ubuntu 14.04 (LTS), 16.04 (LTS), and 18.04 (LTS) (64-bit only)

System Requirements

Microsoft Windows

  • Pentium class processor or greater.
  • 100 MB hard disk space.
  • Microsoft Installer, version 3.1.

MAC OS X

  • 50MB of hard disk space.
  • To operate correctly with Mac OS X, AnyConnect requires a minimum display resolution of 1024 by 640 pixels.

Linux

  • x86 instruction set.
  • 32-bit or 64-bit processor.
  • 32 MB RAM.
  • 20 MB hard disk space.
  • Superuser privileges are required for installation.
  • libstdc++ users must have libstdc++.so.6(GLIBCXX_3.4) or higher, but below version 4.

AnyConnect Clients

MAC OS X

  • Intel download 4.9.X

AnyConnect Secure Mobility Client for Android Devices

All Android AnyConnect packages are available for installation and upgrade from the Google Play Store

For additional information regarding supported Android devices, please visit Cisco's support documentation

AnyConnect Secure Mobility Client for Apple Devices

All Apple AnyConnect packages are available for installation and upgrade from the Apple App Store

For additional information regarding supported Apple devices, please visit Cisco's support documentation

TwoFactor

Enroll

In order to verify your identity, you will be required to enroll your phone (“something you have”) in FIU’s two-factor authentication system.

Please review these simple step-by-step instructions below to enroll your phone:

  • Visit login.fiu.edu/enroll
  • Log in using your FIU username and password
  • When prompted, enter the phone number of the device you would like to enroll in two-factor authentication (FIU numbers will not be accepted).
  • Specify what type of device corresponds to the enrolled number
  • When prompted, enter the code you received
  • You are now enrolled in two-factor authentication

TwoFactor with VPN

Launch your Cisco AnyConnect VPN client, you will be prompted for your FIU username, password, and a “second password”. In this second password field, you will specify your preferred verification method (“something you have”).

In the second password field, you will be required to type “push”, “phone”, or “sms”.

  • Push: uses the DUO Mobile app *
  • Phone: places an automated voice call *
  • SMS: sends unique verification codes via text messages **

(*Note: Your carrier’s data and message rates may apply)

(**Note: Your carrier’s data and message rates may apply, 10 codes are sent in one text message to use 10 different times.)

Signing into Any Connect VPN using Two-Factor

FAQs

What is SSL VPN?
SSL VPN is a client application used to connect to the VPN. This is an application, which gets installed on the computer. This client has support for 64bit systems. This is also known as the AnyConnect client.
Cisco anyconnect 3.1 downloadd
What is my username and password?
Use your My Accounts username and password to access the FIU VPN.Visit https://myaccounts.fiu.edu for additional information.
I need to access systems behind a firewall what vpn would be best to use?
AnyConnect client.
Can I use VPN on my iphone?
Yes. Please look above for supported devices.

Contents

Introduction

Cisco vpn anyconnect 3.1 mac downloadCisco

This document discusses the specific scenario where the AnyConnect client might reconnect to the Adaptive Security Appliance (ASA) in exactly one minute. The users might not be able to receive traffic over the Transport Layer Security (TLS) tunnel until AnyConnect reconnects. This is dependent upon a few other factors which are discussed in this document.

Affected Components

  • ASA Release 9.0 or Release 9.1
  • AnyConnect Client Release 3.0 or Release 3.1

Symptoms

In this example, the AnyConnect client is shown as it reconnects to the ASA.

This syslog is seen on the ASA:

Problem Description

These Diagnostics and Reporting Tool (DART) logs are seen with this issue:

Causes

The cause of this issue is the failure to build a Datagram Transport Layer Security (DTLS) tunnel. This could be because of two reasons:

  • DTLS is blocked somewhere in the path

  • Omni sweeper mac. Use of a non-default DTLS port

DTLS is Blocked Somewhere in the Path

As of ASA Release 9.x and AnyConnect Release 3.x, an optimization has been introduced in the form of distinct Maximum Transition Units (MTUs) that are negotiated for TLS/DTLS between the client/ASA. Previously, the client derived a rough estimate MTU which covered both TLS/DTLS and was obviously less than optimal. Now, the ASA computes the encapsulation overhead for both TLS/DTLS and derives the MTU values accordingly.


As long as DTLS is enabled, the client applies the DTLS MTU (in this case 1418) on the VPN adapter (which is enabled before the DTLS tunnel is established and is needed for routes/filters enforcement), to ensure optimum performance. If the DTLS tunnel cannot be established or it is dropped at some point, the client fails over to TLS and adjusts the MTU on the virtual adapter (VA) to the TLS MTU value (this requires a session level reconnect).

Resolution

In order to eliminate this visible transition of DTLS > TLS, the administrator can configure a separate tunnel group for TLS only access for users that have trouble with the establishment of the DTLS tunnel (such as due to firewall restrictions).

  1. The best option is to set the AnyConnect MTU value to be lower than the TLS MTU, which is then negotiated.

    This makes TLS and DTLS MTU values equal. Reconnections are not seen in this case.

  2. The second option is to allow fragmentation.

    With fragmentation, large packets (whose size exceeds the MTU value) can be fragmented and sent through the TLS tunnel.

  3. The third option is to set the Maximum Segment Size (MSS) to 1460 as follows:

    In this case, the TLS MTU will be 1427 (RC4/SHA1) which is larger than the DTLS MTU 1418 (AES/SHA1/LZS). This should resolve the issue with TCP from the ASA to the AnyConnect client (thanks to MSS), but large UDP traffic from the ASA to the AnyConnect client might suffer from this as it will be dropped by the AnyConnect client due to the lower AnyConnect client MTU 1418. If sysopt conn tcpmss is modified, it might affect other features such as LAN-to-LAN (L2L) IPSec VPN tunnels.

Use of a Non-default DTLS Port

Another potential cause for the DTLS failure is enabling DTLS on a non-default port after the WebVPN is enabled (for example, when the webvpn enable outside command is entered). This is due to Cisco bug ID CSCuh61321 and has been seen in Release 9.x where the ASA pushes the non-default port to the client, but continues to listen to the default port. Consequently, the DTLS is not built and AnyConnect reconnects.

After the TLS tunnel is established, the client attempts to establish the DTLS tunnel to port 444 as expected :

The order of the commands that lead to the problem and the accelerated security path (ASP) table sockets opened is:

  1. Start with the WebVPN sockets not enabled.

  2. Change TLS port to 444 and enable WebVPN.

  3. Change the DTLS port to 444.

Note: The DTLS socket port is still 443. At this point the AnyConnect clients establish DTLS to 444 though!

Resolution

The workaround for this problem is to follow the order of : Download gta 5 compressed setup for pc.

  1. Disable the WebVPN.

  2. Enter the DTLS port.

  3. Enable the WebVPN.

This behaviour does not exist in Release 8.4.x versions, where the DTLS sockets get updated with the configured ports immediately after the configuration is entered:

ASA Release 8.4.6 :

3.1

Reconnect Workflow

Suppose that these ciphers are configured:

This sequence of events takes place in this case: Teamviewer 8.

  • AnyConnect establishes a parent tunnel and a TLS data tunnel with RC4-SHA as the SSL encryption.
  • DTLS is blocked in the path and a DTLS tunnel cannot be established.
  • ASA announces parameters to AnyConnect, which includes TLS and DTLS MTU values, which are two separate values.
  • DTLS MTU is 1418 by default.
  • TLS MTU is calculated from the sysopt conn tcpmss value (default is 1380). This is how the TLS MTU is derived (as seen from the debug webvpn anyconnect output):
  • AnyConnect brings the VPN adapter up and assigns DTLS MTU to it in anticipation that it will be able to connect via DTLS.
  • The AnyConnect client is now connected and the user goes to a particular website.
  • The browser sends TCP SYN and sets MSS = 1418-40 = 1378 in it.
  • The HTTP-server on the inside of the ASA sends packets of size 1418.
  • The ASA cannot put them into the tunnel and cannot fragment them as they have Don't Fragment (DF) bit set.
  • ASA printsand drops packets with mp-svc-no-fragment-ASP drop reason.
  • At the same time the ASA sends ICMP Destination Unreachable, Fragmentation Needed to the sender:
  • If Internet Control Message Protocol (ICMP) is allowed, then the sender retransmits dropped packets and everything starts to work. If ICMP is blocked, then traffic is blackholed on the ASA.
  • After several retransmits it understands that the DTLS tunnel cannot be established and it needs to reassign a new MTU value to the VPN adapter.
  • The purpose of this reconnect is to assign a new MTU.

For more information on reconnect behavior and timers, see AnyConnect FAQ: Tunnels, Reconnect Behavior, and the Inactivity Timer

Caveats

Cisco bug ID CSCuh61321 AC 3.1:ASA incorrectly handles alternate DTLS port,causes reconnect

Cisco Anyconnect 3.1 Download

Related Information