Home » Cisco Manuals » Networking » Cisco 5505 » Manual Viewer

Cisco 5505 Administration Guide - Page 65

svc rekey, method {new-tunnel | none | ssl, method new-tunnel, method none, method ssl - asa 10 user security appliance

UPC - 882658082252

Add to My Manuals
Save this manual to your list of manuals

Page 65 highlights

Chapter 6 Configuring AnyConnect Features Using CLI Configuring, Enabling, and Using Other AnyConnect Features [no] svc rekey {method {new-tunnel | none | ssl} | time minutes} method new-tunnel specifies that the client establishes a new tunnel during rekey. method none disables rekey. method ssl specifies that SSL renegotiation takes place during rekey. time minutes specifies the number of minutes from the start of the session or from the last rekey until the next rekey takes place, from 1 to 10080 (1 week). In the following example, the client is configured to renegotiate with SSL during rekey, which takes place 30 minutes after the session begins, for the existing group-policy sales: hostname(config)# group-policy sales attributes hostname(config-group-policy)# webvpn hostname(config-group-policy)# svc rekey method ssl hostname(config-group-policy)# svc rekey time 30 Note The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore, treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type (CSC93610). Enabling and Adjusting Dead Peer Detection Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect a condition where the peer is not responding, and the connection has failed. Note When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be enabled in the group policy on the ASA to allow the AnyConnect client to fall back to TLS, if necessary. Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the DPD mechanism is necessary for fallback to occur. To enable DPD on the security appliance or client for a specific group or user, and to set the frequency with which either the security appliance or client performs DPD, use the svc dpd-interval command from group-policy or username webvpn mode: svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]} no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]} Where: gateway seconds enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD. gateway none disables DPD performed by the security appliance. client seconds enable DPD performed by the client, and specifies the frequency, from 30 to 3600 seconds, with which the client performs DPD. client none disables DPD performed by the client. To remove the svc dpd-interval command from the configuration, use the no form of the command: The following example sets the frequency of DPD performed by the security appliance to 30 seconds, and the frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales: hostname(config)# group-policy sales attributes OL-12950-012 Cisco AnyConnect VPN Client Administrator Guide 6-7

Section	Page
About This Guide 7	3
chapter 1	3
Introduction 1	3
chapter 2	3
Common AnyConnect VPN Client Installation and Configuration Procedures 1	3
chapter 3	4
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM 1	4
chapter 4	4
Installing the AnyConnect Client on a Security Appliance Using CLI 1	4
chapter 5	4
Configuring AnyConnect Features Using ASDM 1	4
chapter 6	4
Configuring AnyConnect Features Using CLI 1	4
chapter 7	5
Configuring and Using AnyConnect Client Operating Modes and User Profiles 1	5
chapter 8	5
Customizing and Localizing the AnyConnect Client 1	5
chapter 9	5
Monitoring and Maintaining the AnyConnect Client 1	5
appendix A	5
Sample AnyConnect Profile and XML Schema 1	5
appendix B	6
Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted Sites for Domain Users 1	6
Index	6
About This Guide	7
Document Objectives	7
Audience	7
Related Documentation	8
Document Organization	8
Document Conventions	9
Obtaining Documentation, Obtaining Support, and Security Guidelines	10
Licensing	10
Introduction	11
AnyConnect Client Features	11
Remote User Interface	12
Getting and Installing the Files You Need	17
CSA Interoperability with the AnyConnect Client and Cisco Secure Desktop	17
Common AnyConnect VPN Client Installation and Configuration Procedures	19
Installing the AnyConnect Client	19
Before You Install the AnyConnect Client	20
Ensuring Automatic Installation of AnyConnect Clients	20
AnyConnect Client and New Windows Installations	21
Adding a Security Appliance to the List of Trusted Sites (Internet Explorer)	21
Adding a Security Certificate in Response to Browser Security Alert Windows	22
Replacing a Digital Certificate with a Trusted Certificate	25
Installing the AnyConnect Client on a User’s PC	26
Where to Find the AnyConnect Client Files to Install	26
Installing the AnyConnect Client Using the Microsoft Windows Installer on a PC Running Windows	26
Installing the AnyConnect Client on a PC Running Linux	27
Installing the AnyConnect Client on a PC Running MAC OSX	27
Installing the AnyConnect Client and Configuring the Security Appliance with ASDM	29
Installing the AnyConnect Client on a Security Appliance Using CLI	39
Enabling AnyConnect Client SSL VPN Connections Using CLI	40
Disabling Permanent Client Installation	42
Configuring AnyConnect Features Using ASDM	43
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections	43
Configuring DTLS	44
Prompting Remote Users	46
Enabling IPv6 VPN Access	47
Enabling Modules for Additional AnyConnect Features	47
Configuring, Enabling, and Using Other AnyConnect Features	48
Configuring Certificate-only Authentication	48
Using Compression	51
Changing Compression Globally	52
Changing Compression for Groups and Users	52
Enabling AnyConnect Keepalives	53
Enabling AnyConnect Rekey	54
Enabling and Adjusting Dead Peer Detection	56
Configuring the Dynamic Access Policies Feature of the Security Appliance	57
Cisco Secure Desktop Support	57
Configuring AnyConnect Features Using CLI	59
Enabling Datagram Transport Layer Security (DTLS) with AnyConnect (SSL) Connections	59
Enabling DTLS Globally for a Specific Port	60
Enabling DTLS for Specific Groups or Users	60
Prompting Remote Users	60
Enabling IPv6 VPN Access	61
Enabling Modules for Additional AnyConnect Features	62
Configuring, Enabling, and Using Other AnyConnect Features	63
Configuring Certificate-only Authentication	63
Using Compression	63
Configuring the Dynamic Access Policies Feature of the Security Appliance	64
Cisco Secure Desktop Support	64
Enabling AnyConnect Rekey	64
Enabling and Adjusting Dead Peer Detection	65
Enabling AnyConnect Keepalives	66
Configuring and Using AnyConnect Client Operating Modes and User Profiles	67
AnyConnect Client Operating Modes	67
Using the AnyConnect CLI Commands to Connect (Standalone Mode)	67
Connecting Using WebLaunch	69
User Log In and Log Out	70
Logging In	70
Logging Out	70
Configuring and Using User Profiles	70
Enabling AnyConnect Client Profile Downloads	71
Configuring Profile Attributes	76
Enabling Start Before Logon (SBL) for the AnyConnect Client	77
XML Settings for Enabling SBL	77
CLI Settings for Enabling SBL	77
Configuring the ServerList Attribute	78
Configuring the Certificate Match Attribute	78
Certificate Key Usage Matching	78
Extended Certificate Key Usage Matching	79
Certificate Distinguished Name Mapping	79
Certificate Matching Example	81
Customizing and Localizing the AnyConnect Client	83
Customizing the End-user Experience	83
Language Translation (Localization) for User Messages	85
Understanding Language Translation	85
Configuring Language Localization Using ASDM	86
Creating or Modifying a Translation Table Using ASDM	88
Import/Export Language Localization	89
Creating or Modifying a Translation Table Using CLI	90
Monitoring and Maintaining the AnyConnect Client	95
Viewing AnyConnect Client and SSL VPN Sessions	95
Adjusting MTU Size Using ASDM	96
Adjusting MTU Size Using CLI	96
Logging Off AnyConnect Client Sessions	97
Updating AnyConnect Client and SSL VPN Client Images	98
Sample AnyConnect Profile and XML Schema	99
Sample AnyConnect Profile	99
Sample AnyConnect Profile Schema	101
Using Microsoft Active Directory to Add the Security Appliance to the List of Internet Explorer Trusted Sites for Domain Users	113
Index	115
A	115
C	115
D	115
E	115
F	115
G	116
I	116
K	116
L	116
M	116
N	116
O	116
P	117
R	117
S	117
T	117
U	117
V	118
W	118

Match case Limit results 1 per page

6-7

Cisco AnyConnect VPN Client Administrator Guide

OL-12950-012

Chapter 6

Configuring AnyConnect Features Using CLI

Configuring, Enabling, and Using Other AnyConnect Features

[

]

svc rekey

{

method {new-tunnel | none | ssl

}

| time

minutes

}

method new-tunnel

specifies that the client establishes a new tunnel during rekey.

method none

disables rekey.

method ssl

specifies that SSL renegotiation takes place during rekey.

time

minutes

specifies the number of minutes from the start of the session or from the last rekey until

the next rekey takes place, from 1 to 10080 (1 week).

In the following example, the client is configured to renegotiate with SSL during rekey, which takes

place 30 minutes after the session begins, for the existing group-policy

sales

hostname(config)#

group-policy sales attributes

hostname(config-group-policy)#

webvpn

hostname(config-group-policy)#

svc rekey method ssl

hostname(config-group-policy)#

svc rekey time 30

Note

The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore,

treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type

(CSC93610).

Enabling and Adjusting Dead Peer Detection

Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect

a condition where the peer is not responding, and the connection has failed.

Note

When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be

enabled in the group policy on the ASA to allow the AnyConnect client to fall back to TLS, if necessary.

Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the

DPD mechanism is necessary for fallback to occur.

To enable DPD on the security appliance or client for a specific group or user, and to set the frequency

with which either the security appliance or client performs DPD, use the

svc dpd-interval

command

from group-policy or username webvpn mode:

svc dpd-interval

{[

gateway

{

seconds |

none

}]

[

client

{

seconds |

none

}]}

no svc dpd-interval

{[

gateway

{

seconds |

none

}]

[

client

{

seconds |

none

}]}

Where:

gateway

seconds enables DPD performed by the security appliance (gateway) and specifies the

frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD.

gateway none

disables DPD performed by the security appliance.

client

seconds

enable DPD performed by the client, and specifies the frequency, from 30 to 3600

seconds, with which the client performs DPD.

client

none

disables DPD performed by the client.

To remove the

svc dpd-interval

command from the configuration, use the

form of the command:

The following example sets the frequency of DPD performed by the security appliance to 30 seconds,

and the frequency of DPD performed by the client set to 10 seconds for the existing group-policy

sales

hostname(config)#

group-policy sales attributes