64-40
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 64 General VPN Setup
Configuring AnyConnect (SSL) VPN Client Connections
When the client negotiates an SSL VPN connection with the adaptive security appliance, it connects
using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS).
DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the
performance of real-time applications that are sensitive to packet delays.
The AnyConnect client can be downloaded from the adaptive security appliance, or it can be installed
manually on the remote PC by the system administrator. For more information about installing the client
manually, see the Cisco AnyConnect VPN Client Release Notes.
The adaptive security appliance downloads the client based on the group policy or username attributes
of the user establishing the connection. You can configure the adaptive security appliance to
automatically download the client, or you can configure it to prompt the remote user about whether to
download the client. In the latter case, if the user does not respond, you can configure the adaptive
security appliance to either download the client after a timeout period or present the login page.
Fields
• Keep Installer on Client System—Enable to allow permanent client installation on the remote
computer. Enabling disables the automatic uninstalling feature of the client. The client remains
installed on the remote computer for subsequent connections, reducing the connection time for the
remote user.
• Compression—Compression increases the communications performance between the security
appliance and the client by reducing the size of the packets being transferred.
• Datagram TLS—Datagram Transport Layer Security avoids latency and bandwidth problems
associated with some SSL connections and improves the performance of real-time applications that
are sensitive to packet delays.
• Ignore Don’t Defrag (DF) Bit—By default, the adaptive security appliance discards
SSL-encapsulated packets that exceed the SSL MTU. IPsec does not have an MTU, so an SSL
session cannot, by default, encapsulate IPsec. If you want to support IPsec within an SSL session,
enable this parameter to prevent the adaptive security appliance from discarding packets that exceed
the SSL MTU. You must also enable the Ignore Routing and Filtering Rules parameter. An example
use case is to let users establish an SSL VPN session with the adaptive security appliance and use
that session to establish an IPsec VPN session with another enterprise. Without the initial SSL VPN
session, network policies might prevent the establishment of the IPsec session from the endpoint.
• Ignore Routing and Filtering Rules—By default, the group policy pushed to the SSL client permits
client enforcement of routing and filtering rules configured on the endpoint. These rules can prevent
the transmission of SSL-encapsulated packets containing IPsec-encapsulated packets. For example,
the client may have a rule that prevents the exchange of SSL-encapsulated packets that exceed the
MTU size. If you want to support IPsec within an SSL session, enable this parameter to prevent the
client from discarding packets that exceed the SSL MTU. You must also enable the Ignore Don’t
Defrag (DF) Bit parameter.
• Keepalive Messages—Enter an number, from 15 to 600 seconds, in the Interval field to enable and
adjust the interval of keepalive messages to ensure that an connection through a proxy, firewall, or
NAT device remains open, even if the device limits the time that the connection can be idle.
Adjusting the interval also ensures that the client does not disconnect and reconnect when the remote
user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft
Internet Explorer.
• MTU—Adjusts the MTU size for SSL connections. Enter a value in bytes, from 256 to 1410 bytes.
By default, the MTU size is adjusted automatically based on the MTU of the interface that the
connection uses, minus the IP/UDP/DTLS overhead.
To Next Page
Loading...
Need help?
General
