Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134

Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134
Release Notes for Cisco AnyConnect VPN Client,
Release 2.4.0134 BETA
Revised: August 10, 2009
These release notes are for the beta release of 2.4. Cisco TAC does not provide support for beta releases.
Please provide feedback to
The scope of these release notes is limited to the introduction, requirements, and changes in this release.
Please go to the AnyConnect documentation for additional instructions.
Beta software should not be deployed in a production network. Cisco cannot be responsible for issues
caused as a result of using beta software.
The AnyConnect client provides remote users with secure VPN connections to the
Cisco ASA 5500 Series Adaptive Security Appliance using the Secure Socket Layer (SSL) protocol and
the Datagram TLS (DTLS) protocol.
The AnyConnect client provides remote end users running Microsoft Windows 7, Windows Vista,
Windows XP, Windows Mobile, Linux, and Macintosh OS X 10.5 with the benefits of a Cisco SSL VPN
client, and supports applications and functions unavailable to a clientless, browser-based SSL VPN
connection. In addition, the AnyConnect client supports connecting to IPv6 resources over an IPv4
network tunnel.
You can install the client on the security appliance to automatically download to remote users when they
log in, or administrators or users can manually install it as an application on. You can configure the
security appliance to uninstall AnyConnect from the endpoint after the connection terminates, or it can
remain on the remote PC for future SSL VPN connections.
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2009 Cisco Systems, Inc. All rights reserved.
This document includes the following sections:
New Features on page 2
System Requirements on page 3
Caveats on page 7
Notices/Licensing on page 9
Related Documentation on page 10
New Features
AnyConnect 2.4 supports the following new features:
Trusted Network Detection
Simple Certificate Enrollment Protocol (SCEP)
You must have a FIPS license to enable FIPS. Along with the license, we provide the transforms,
binaries (non-win), and instructions to enable FIPS.
Launching of an optional, administrator-provided script when AnyConnect client connects, and of
a second script when it disconnects.
Logging improvements
Proxy Support Enhancement
Next Generation Filtering Framework
CSD Integration
Windows 7
Improved Reconnect and Disconnect
New Guidelines
The following guidelines are new for Release 2.4.
Changes to OSs Supported
AnyConnect 2.4 supports Microsoft Windows 7. AnyConnect 2.4 no longer supports Microsoft Windows
2000 and Mac OS X 10.4, although it may work with these OSs.
Customers running Mac OS X 10.4 must upgrade to 10.5 when upgrading to AnyConnect 2.4. We will
continue to support Mac OS X 10.4 users running pre-2.4 versions until we end-of-life those versions.
AnyConnect 2.4 now supports Red Hat Enterprise Linux 5 Desktop and Ubuntu 9.x. We do not qualify
other Linux distributions. We will consider requests regarding other Linux distributions for which you
experience issues, and provide fixes at our discretion.
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
System Requirements
Upgrading to Windows 7
If you upgrade from Windows XP or Vista to Windows 7, manually uninstall AnyConnect first, then after
the upgrade, reinstall it manually or by establishing a web-based connection to an security appliance
configured to install it.
Flexibility in Sequence and Method Used to Install Start Before Logon and
DART Components
Previously, in order to use the Start Before Logon components for Windows, the same installation
method was required for both the AnyConnect client and the Start Before Logon components. Both
needed to be pre-deployed or both needed to be web-deployed. AnyConnect Release 2.4 eliminates this
requirement. This allows the client to be deployed by one method and, perhaps at a later time, the Start
Before Logon components to be installed by the same or another method. The Start Before Logon
component still has the requirement that the AnyConnect client be installed first.
Another new behavior for AnyConnect Release 2.4 is that if SBL or DART is manually uninstalled from
an end-point that then connects, these components will be re-installed. This behavior will only occur if
the head-end configuration specifies that these components be installed and the preferences (set on the
end-point) permit upgrades. Previously these components would not be re-installed in this scenario
without uninstalling and re-installing the AnyConnect client.
System Requirements
If you are using Internet Explorer, use version 5.0, Service Pack 2 or later.
AnyConnect does not support virtualization software, such as VMWare for any platform, or Parallels
Desktop for Mac OS.
AnyConnect does not support sessions with a security appliance running on the same subnet as the
Microsoft Windows
If you are using Internet Explorer, use version 5.0, Service Pack 2 or later. For WebLaunch, use Internet
Explorer 6.0+ or Firefox 2.0+, and enable ActiveX or install Sun JRE 1.4+.
Windows Versions
Windows 7
Windows Vista—SP2 or Vista Service Pack 1 with KB952876.
Windows XP SP2 and SP3.
Windows Requirements
Pentium class processor or greater.
x64 or x86 processors.
5 MB hard disk space.
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
System Requirements
– 256 MB for Windows XP.
– 512 MB for Windows Vista.
– 512 MB for Windows 7.
Microsoft Installer, version 3.1.
The following sections show the Linux distributions and requirements.
Linux Distributions
Red Hat Enterprise Linux 5 Desktop
Ubuntu 9.x
We do not qualify other Linux distributions. We will consider requests regarding other Linux
distributions for which you experience issues, and provide fixes at our discretion.
Linux Requirements
x86 instruction set.
32-bit or biarch 64-bit processor—standalone mode only; web-based install/connect is not
32 MB RAM.
20 MB hard disk space.
Superuser privileges.
libstdc++ users must have libstdc++ version 3.3.2 ( or higher, but below version 4.
Firefox 2.0 or later with installed in /usr/local/lib, /usr/local/firefox/lib, or /usr/lib.
Firefox must be installed in /usr/lib or /usr/local, or there must be a symbolic link in /usr/lib or
/usr/local called firefox that points to the Firefox installation directory.
libcurl 7.10 or later.
openssl 0.9.7a or later.
java 1.5 or later. The default Java package on Fedora is an open-source GNU version, called Iced
Tea on Fedora 8. The only version that works for web installation is Sun Java. You must install Sun
Java and configure your browser to use that instead of the default package.
zlib or later.
gtk 2.0.0,
gdk 2.0.0,
libpango 1.0.
iptables 1.2.7a or later.
tun module supplied with kernel 2.4.21 or 2.6.
Mac OS
AnyConnect 2.4 supports Mac OS X Version 10.5. It requires 50 MB hard disk space.
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
System Requirements
Windows Mobile
Cisco designed AnyConnect 2.4 for compatibility with Windows Mobile 6.1, 6.0 and 5.0 Professional
and Classic for touch-screens only, but has specifically qualified only the devices listed in Table 1 to
ensure interoperability. While other devices might work, Cisco does not guarantee compatibility with
other devices. Table 1 lists the supported devices with their corresponding service providers and
supported operating system versions.
Table 1
Supported Windows Mobile Devices (Touch-screens Only)
ATT Tilt 3.57.502.2 WWE
Windows Mobile 6.1 Professional
Note: TouchFLO must be disabled.
Axim X51v with ROM: A03 (23092007
Windows Mobile 6.0 Classic
iPAQ 2790
Windows Mobile 5.0 PocketPC
Sprint Touch with ROM: 3.03.651.4
Windows Mobile 6.1 Professional
Note: TouchFLO must be disabled.
T-Mobile Wing 4.26.531.1 WWE
Windows Mobile 6.0 Professional
Palm Treo 700wx:
Windows Mobile 5.0+AKU2 PDA Phone
Windows Mobile 6.0 Professional
Sprint TREO 700WX-1.15-SPNT
Palm Treo 750:
AT&T TREO750-2.27-RWE
AT&T TREO 750-2.25-ATT
T-Mobile TREO750-2.27-RWE
Palm Treo 800:
Windows Mobile 6.1 Professional
Sprint Treo 800w-1.03-SPNT
Windows Mobile 6.1 Professional
Palm Treo Pro:
AT&T T850UNA-1.01-NAE
Sprint T850EWW-1.03-SPT
T-Mobile T850UNA-1.01-NAE
Verizon XV6800 with ROM: 1.00.00.H:
Verizon 2.09.605.8
Verizon 3.57.605.1
Windows Mobile 6.0 Professional and Windows
Mobile 6.0 Professional
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
System Requirements
Security Appliances and Software Supported
The Cisco AnyConnect VPN Client supports all Cisco Adaptive Security Appliance models. It does not
support PIX devices. See the Adaptive Security Appliance VPN Compatibility Reference: for a complete
list of compatibility requirements.
Table 2 shows the minimum Cisco ASA 5500 Adaptive Security Appliance software images that support
the AnyConnect client.
Table 2
Software Images that Support the AnyConnect Client, Release 2.4
Image Type
ASA Boot image
8.0(3).1 or later
Adaptive Security Device Manager (ASDM)
6.1(3).1 or later
Cisco Secure Desktop
3.2(2)1 or later
1. Cisco Secure Desktop, Release 3.2(1) is compatible, but it provides more limited
Installing the AnyConnect Client on a Windows Mobile Device
The security appliance does not support WebLaunch of AnyConnect on a mobile device; therefore,
mobile users must download and install AnyConnect Client for Windows Mobile. Just as you can do so
with corporate computers, you can pre-deploy AnyConnect on Windows Mobile devices issued to
Perform the following steps to download and install AnyConnect Client for Windows Mobile.
Step 1
Download any of the following files from the Cisco AnyConnect VPN Client Download Software site to
get the Windows Mobile Client:
File containing all client installation packages:
CAB package signed by Cisco for Windows Mobile devices:
ActiveSync MSI package for Windows Mobile platforms:
Step 2
Unzip the anyconnect-all-packages— file if you chose to download
that file.
Step 3
Transfer the file to a corporate server if you want to provide users with a link to the client.
Step 4
Make sure the Windows Mobile device meets the system requirements in the latest AnyConnect Release
Step 5
Use your preferred method to transfer the .cab or .msi file from your intranet server or local computer
to the mobile device. Some examples include:
Microsoft ActiveSync over radio
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
Step 6
HTTP, FTP, SSH, or shared files over the LAN or radio
(USB) Cable
Media card transfer
Use the mobile device to open the file you transferred, and proceed with the installation wizards.
Caveats describe unexpected behavior or defects in Cisco software releases. The following lists caveats
with Severities 2 and 3.
If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any
release. To reach Bug Navigator II on CCO, select Software & Support: Online Technical Support:
Software Bug Toolkit or navigate to
Open Caveats in Cisco AnyConnect VPN Client, Release 2.4 Beta
Table 3 lists the caveats that are unresolved in the Cisco AnyConnect VPN client, Release 2.4 Beta.
Table 3
Open Caveats in Cisco AnyConnect VPN Client, Release 2.4 Beta
Client-side proxy & AoN tunneling: must stop direct access to proxy.
IPv6 link local addresses are not tunneled through AnyConnect Client.
Standalone can connect to wrong ASA from within SecureDesktop.
Transcend: unable to clear session from GW after setting MSIE proxy V
Difficult to clear the VPN program after tunnel cleared from GW
Random client DPD disconnects with McAfee HIPS SW.
Auto-resume sometimes fails even though head-end not timed out.
AnyConnect user authentication fails in some scenarios.
Standalone client fails to connect if CSD and Authenticating proxy.
AnyConnect Linux with certs fails if browser master password defined.
GUI pops up certificate warning prompts on every connection attempt.
IPv6: Network error: windows has detected and IP address conflict.
Multiple local profiles for SG may result in using wrong settings.
AnyConnect: Need to reboot PC to get localization catalog to load.
Vista: Unable to process response from using standalone AnyConnect.
AC needs more certificate matching events.
Failed to initialize VPN API aborting message while launching AC.
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
Table 3
Open Caveats in Cisco AnyConnect VPN Client, Release 2.4 Beta
AnyConnect only waits 12 seconds for auth response from headend.
AC should not re-use tg cookie if group-url w/ new tg is being used.
XP:DART application not installed while connecting AC in some scenarios.
VPN agent “caches” cert information.
XP IPV6: AnyConnect can't ping assigned IPV6 address.
RDP+SBL: Unable to retrieve logon information to verify compliance
Linux: user logoff does not disconnect VPN connection
SVC MSIE proxy option auto does not work
Split tunnel not working with Anyconnect and Windows Mobile
AnyConnect roam from EVDO car to 802.11 never reconnected
AnyConnect ignoring exclusion lists and using proxy server
Anyconnect: After cert validation error, get Connection failure unknown
Anyconnect fails to connect with special character password "<>"
AnyConnect failed authorization after certs, Connect button errors
Need to document some 3rd Party inter-operability issues
AnyConnect Mac: Installer leaves vpnclient.dmg in root directory
Voice mails thru an Anyconnect tunnel on a Mac OS is garbled
Global and user preferences files may get out of sync
Resolved Caveats
The following sections identify the caveats that Release 2.4 resolves.
Caveats Resolved in AnyConnect Release 2.4 Beta
Table 4 shows the caveats that AnyConnect VPN Client, Release 2.4 Beta resolves.
Table 4
Resolved Caveats by Cisco AnyConnect VPN Client, Release 2.4 Beta
AnyConnect incompatibility with Citrix advanced gateway client 2.2.1
DART:AC Standalone AnyConnect Client shows AnyConnect 2.3.xx instead of
AnyConnect dart 2.3.xx.
Windows Mobile driver error with SVC rekey new-tunnel
Anyconnect SBL: XML parsing prevents concurrent connections
Long-term fix for Anyconnect with IPv6: non-English Vista
file move operation fails
AnyConnect on Mac OS should be able to verify Certs from KeyChain
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
Table 4
Resolved Caveats by Cisco AnyConnect VPN Client, Release 2.4 Beta
Allow mDNS through filters with Local LAN
AnyConnect API Package incorrect dependency
AC - If CertificateMatch in Profile selects 0 certs, AC will use any
AnyConnect: Admin unable to use Local Machine certificates
Anyconnect picks invalid certificate
DART install gets out-of-sync with local manifest
AnyConnect connection failure due to wrong windows shell registry
Two kinds of licenses affect the Cisco AnyConnect VPN Client:
End-User License Agreement on page 9 (End User License Agreement)
OpenSSL/Open SSL Project on page 9
The following sections provide information about these licenses.
End-User License Agreement
For information on the end-user license agreement, go to:
OpenSSL/Open SSL Project
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
This product includes cryptographic software written by Eric Young (
This product includes software written by Tim Hudson (
For Open Source License information for this product, please see the following link:
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
Related Documentation
Related Documentation
For more information, refer to the following documentation:
For additional information about the security appliance or ASDM or its platforms, see Navigating
the Cisco ASA 5500 Series Documentation:
Cisco AnyConnect VPN Client, Release 2.3, Administrator Guide
Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administrators
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect ,
Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good,
Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way
We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting
To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS,
Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch,
Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the
IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy,
Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to
Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
Release Notes for Cisco AnyConnect VPN Client, Release 2.4.0134 BETA
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF