Usage Guidelines

When this command is configured, the security appliance will also do a match on these attributes in addition to the Framed IP attribute. Multiple instances of this command are allowed.

You can find a list of RADIUS attribute types here:

http://www.iana.org/assignments/radius-types

Usage Guidelines

You can configure a Kerberos AAA server group to authenticate the servers in the group using the validate-kdc command. To accomplish the authentication, you must also import a keytab file that you exported from the Kerberos Key Distribution Center (KDC). By validating the KDC, you can prevent an attack where the attacker spoofs the KDC so that user credentials are authenticated against the attacker’s Kerberos server.

When you enable KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, the system also requests a service ticket on behalf of the user for host /ASA_hostname . The system then validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file that you generated from the KDC and then uploaded to the ASA. If KDC authentication fails, the server is considered untrusted and the user is not authenticated.

To accomplish KDC authentication, you must do the following:

1. (On the KDC.) Create a user account in the Microsoft Active Directory for the ASA (go to Start > Programs > Administrative Tools > Active Directory Users and Computers ). For example, if the fully-qualified domain name (FQDN) of the ASA is asahost.example.com, create a user named asahost.

2. (On the KDC.) Create a host service principal name (SPN) for the ASA using the FQDN and user account:

C:> setspn -A HOST/asahost.example.com asahost

1. (On the KDC.) Create a keytab file for the ASA (line feeds added for clarity):

C:\Users\Administrator> ktpass /out new.keytab +rndPass
/princ host/asahost@EXAMPLE.COM
/mapuser asahost@example.com
/ptype KRB5_NT_SRV_HST
/mapop set

1. (On the ASA.) Import the keytab (in this example, new.keytab) to the ASA using the aaa kerberos import-keytab command.

2. (On the ASA.) Add the validate-kdc command to the Kerberos AAA server group configuration. The keytab file is used only by server groups that contain this command.

Note	You cannot use KDC validation in conjunction with Kerberos Constrained Delegation (KCD). The validate-kdc command will be ignored if the server group is used for KCD.

Usage Guidelines

Specify the LISP pre-shared key so the ASA can read LISP message contents.

About LISP Inspection for Cluster Flow Mobility

The ASA inspects LISP traffic for location changes and then uses this information for seamless clustering operation. With LISP integration, the ASA cluster members can inspect LISP traffic passing between the first hop router and the ETR or ITR, and can then change the flow owner to be at the new site.

Cluster flow mobility includes several inter-related configurations:

1. (Optional) Limit inspected EIDs based on the host or server IP address—The first hop router might send EID-notify messages for hosts or networks the ASA cluster is not involved with, so you can limit the EIDs to only those servers or networks relevant to your cluster. For example, if the cluster is only involved with 2 sites, but LISP is running on 3 sites, you should only include EIDs for the 2 sites involved with the cluster. See the policy-map type inspect lisp , allowed-eid, and validate-key commands.

2. LISP traffic inspection—The ASA inspects LISP traffic for the EID-notify message sent between the first hop router and the ITR or ETR. The ASA maintains an EID table that correlates the EID and the site ID. For example, you should inspect LISP traffic with a source IP address of the first hop router and a destination address of the ITR or ETR. See the inspect lisp command.

3. Service Policy to enable flow mobility on specified traffic—You should enable flow mobility on business-critical traffic. For example, you can limit flow mobility to only HTTPS traffic, and/or to traffic to specific servers. See the cluster flow-mobility lisp command.

4. Site IDs—The ASA uses the site ID for each cluster unit to determine the new owner. See the site-id command.

5. Cluster-level configuration to enable flow mobility—You must also enable flow mobility at the cluster level. This on/off toggle lets you easily enable or disable flow mobility for a particular class of traffic or applications. See the flow-mobility lisp command.

Usage Guidelines

Remote-access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPsec), or both, depending on deployment requirements, to permit access to virtually any network application or resource. The validation-policy command allows you to specify the protocol type permitted to access on-board CA certificates.

The no-chain option with this command prevents an ASA from supporting subordinate CA certificates that are not configured as trustpoints on it.

The ASA can have two trustpoints with the same CA resulting in two different identity certificates from the same CA. This option is disabled automatically if the trustpoint is authenticated to a CA that is already associated with another trustpoint that has enabled this feature. This prevents ambiguity in the choice of path-validation parameters. If the user attempts to activate this feature on a trustpoint that has been authenticated to a CA already associated with another trustpoint that has enabled this feature, the action is not permitted. No two trustpoints can have this setting enabled and be authenticated to the same CA.

Usage Guidelines

When there are multiple trustpoints associated with the same CA certificate, only one of the trustpoints can be configured for a specific client type. However, one of the trustpoints can be configured for one client type and the other trustpoint with another client type.

If there is a trustpoint associated with the same CA certificate that is already configured with a client type, the new trustpoint is not allowed to be configured with the same client-type setting. The no form of the command clears the setting so that a trustpoint cannot be used for any client validation.

Remote access VPNs can use Secure Sockets Layer (SSL) VPN, IP Security (IPsec), or both, depending on deployment requirements, to permit access to any network application or resource.

Usage Guidelines

In a VDI model, administrators publish desktops pre-loaded with enterprise applications, and end users remotely access these desktops. These virtualized resources appear just as any other resources, such as email, so that users do not need to go through a Citrix Access Gateway to access them. Users log onto the ASA using Citrix Receiver mobile client, and the ASA connects to a pre-defined Citrix XenApp or XenDesktop Server. The administrator must configure the Citrix server’s address and logon credentials under Group Policy so that when users connect to their Citrix Virtualized resource, they enter the ASA’s SSL VPN IP address and credentials instead of pointing to the Citrix Server’s address and credentials. When the ASA has verified the credentials, the receiver client starts to retrieve entitled applications through the ASA.

• iPad—Citrix Receiver version 4.x or later

• iPhone/iTouch—Citrix Receiver version 4.x or later

• Android 2.x phone—Citrix Receiver version 2.x or later

• Android 3.x tablet—Citrix Receiver version 2.x or later

• Android 4.0 phone—Citrix Receiver version 2.x or later

Usage Guidelines

Use the verify command to verify the checksum of a file before using it.

Each software image that is distributed on disk uses a single checksum for the entire image. This checksum is displayed only when the image is copied into flash memory; it is not displayed when the image file is copied from one disk to another.

Before loading or duplicating a new image, record the checksum and MD5 information for the image so that you can verify the checksum when you copy the image into flash memory or onto a server. A variety of image information is available on Cisco.com.

To display the contents of flash memory, use the show flash command. The flash contents listing does not include the checksum of individual files. To recompute and verify the image checksum after the image has been copied into flash memory, use the verify command. Note, however, that the verify command only performs a check on the integrity of the file after it has been saved in the file system. It is possible for a corrupt image to be transferred to the ASA and saved in the file system without detection. If a corrupt image is transferred successfully to the ASA, the software will be unable to tell that the image is corrupted and the file will verify successfully.

To use the message-digest5 (MD5) hash algorithm to ensure file validation, use the verify command with the /md5 option. MD5 is an algorithm (defined in RFC 1321) that is used to verify data integrity through the creation of a unique 128-bit message digest. The /md5 option of the verify command allows you to check the integrity of the ASA software image by comparing its MD5 checksum value against a known MD5 checksum value for the image. MD5 values are now made available on Cisco.com for all security appliance software images for comparison against local system image values. You can also specify SHA-512 (/sha-512 ).

To perform the MD5 or SHA-512 integrity check, issue the verify command using the /md5 or /sha-512 keyword. For example, issuing the verify /md5 flash:cdisk.bin command will calculate and display the MD5 value for the software image. Compare this value with the value available on Cisco.com for this image.

Alternatively, you can get the MD5 value from Cisco.com first, then specify this value in the command syntax. For example, issuing the verify /md5 flash:cdisk.bin 8b5f3062c4cacdbae72571440e962233 command will display a message verifying that the MD5 values match or that there is a mismatch. A mismatch in MD5 values means that either the image is corrupt or the wrong MD5 value was entered.

Usage Guidelines

These parameters are enabled by default. To disable them, enter the no keyword.

Usage Guidelines

You can override the global setting on a per-interface basis by entering the rip send version and rip receive version commands on an interface.

If you specify RIP version 2, you can enable neighbor authentication and use MD5-based encryption to authenticate the RIP updates.

Usage Guidelines

When you use HTTP authentication on the ASA (see the aaa authentication match or the aaa authentication include command), the ASA uses basic HTTP authentication by default. You can change the authentication method so that the ASA redirects HTTP connections to web pages generated by the ASA itself using the aaa authentication listener command with the redirect keyword.

However, if you continue to use basic HTTP authentication, then you might need the virtual http command when you have cascading HTTP authentications.

If the destination HTTP server requires authentication in addition to the ASA, then the virtual http command lets you authenticate separately with the ASA (via a AAA server) and with the HTTP server. Without virtual HTTP, the same username and password you used to authenticate with the ASA is sent to the HTTP server; you are not prompted separately for the HTTP server username and password. Assuming the username and password is not the same for the AAA and HTTP servers, then the HTTP authentication fails.

This command redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password. After the AAA server authenticates the user, the ASA redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password.

For inbound users (from lower security to higher security), you must also include the virtual HTTP address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual HTTP IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).

For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual HTTP address. A static statement is not required.

Note	Do not set the timeout uauth command duration to 0 seconds when using the virtual http command, because this setting prevents HTTP connections to the real web server.

Usage Guidelines

Although you can configure network access authentication for any protocol or service (see the aaa authentication match or aaa authentication include command), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the user Telnets to a given IP address configured on the ASA, and the ASA provides a Telnet prompt.

You must configure authentication for Telnet access to the virtual Telnet address as well as the other services you want to authenticate using the authentication match or aaa authentication include command.

When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a username and password, and then authenticated by the AAA server. Once authenticated, the user sees the message “Authentication Successful.” Then, the user can successfully access other services that require authentication.

For inbound users (from lower security to higher security), you must also include the virtual Telnet address as a destination interface in the access list applied to the source interface. Moreover, you must add a static command for the virtual Telnet IP address, even if NAT is not required (using the no nat-control command). An identity NAT command is typically used (where you translate the address to itself).

For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside interface, be sure to allow access to the virtual Telnet address. A static statement is not required.

To logout from the ASA, reconnect to the virtual Telnet IP address; you are prompted to log out.

Usage Guidelines

This command specifies the egress VLAN interface for sessions assigned to this group policy. The ASA forwards all traffic on this group to that VLAN. You can assign a VLAN to each group policy to simplify access control. Applying the VLAN interface configuration disrupts the client-to-client communication. All packets, including packets destined to a second client, are forced to the vlan interface. You must have a device downstream to route packets back to the firewall to maintain client-to-client communication.

Do not use the VoIP inspection engines (CTIQBE, H.323, GTP, MGCP, RTSP, SIP, SKINNY), the DNS inspect engine, or the DCE RPC inspection engine with vlan mapping option. These inspection engines ignore the vlan-mapping setting which could result in packets being incorrectly routed.

Usage Guidelines

You can configure a primary VLAN, as well as one or more secondary VLANs. When the ASA receives traffic on the secondary VLANs, it maps it to the primary VLAN. Each subinterface must have a VLAN ID before it can pass traffic. To change a VLAN ID, you do not need to remove the old VLAN ID with the no option; you can enter the vlan command with a different VLAN ID, and the ASA changes the old ID. To remove some secondary VLANs from the list, you can use the no command and only list the VLANs to remove. You can only selectively remove listed VLANs; you cannot remove a single VLAN in a range, for example.

You need to enable the physical interface with the no shutdown command to let subinterfaces be enabled. If you enable subinterfaces, you typically do not also want the physical interface to pass traffic, because the physical interface passes untagged packets. Therefore, you cannot prevent traffic from passing through the physical interface by bringing down the interface. Instead, ensure that the physical interface does not pass traffic by leaving out the nameif command. If you want to let the physical interface pass untagged packets, you can configure the nameif command as usual.

The maximum number of subinterfaces varies depending on your platform. See the CLI configuration guide for the maximum subinterfaces per platform.

Usage Guidelines

Virtual Private Dial-up Networking (VPDN) is used to provide long distance, point-to-point connections between remote dial-in users and a private network. VDPN on the security appliance uses the Layer 2 tunneling technology PPPoE to establish dial-up networking connections from the remote user to the private network across a public network.

PPPoE is the Point-to-Point Protocol (PPP) over Ethernet. PPP is designed to work with network layer protocols such as IP, IPX, and ARA. PPP also has CHAP and PAP as built-in security mechanisms.

The show vpdn session pppoe command displays session information for PPPOE connections. The clear configure vpdn group command removes all vpdn group commands from the configuration and stops all the active L2TP and PPPoE tunnels. The clear configure vpdn username command removes all the vpdn username commands from the configuration.

Because PPPoE encapsulates PPP, PPPoE relies on PPP to perform authentication and ECP and CCP functions for client sessions operating within the VPN tunnel. Additionally, PPPoE is not supported in conjunction with DHCP because PPP assigns the IP address for PPPoE.

Note	Unless the VPDN group for PPPoE is configured, PPPoE cannot establish a connection.

To define a VPDN group to be used for PPPoE, use the vpdn group group_name request dialout pppoe command. Then use the pppoe client vpdn group command from interface configuration mode to associate a VPDN group with a PPPoE client on a particular interface.

If your ISP requires authentication, use the vpdn group group_name ppp authentication {chap | mschap | pap } command to select the authentication protocol used by your ISP.

Use the vpdn group group_name localname username command to associate the username assigned by your ISP with the VPDN group.

Use the vpdn username username password password command to create a username and password pair for the PPPoE connection. The username must be a username that is already associated with the VPDN group specified for PPPoE.

Note	If your ISP is using CHAP or MS-CHAP, the username may be called the remote system name and the password may be called the CHAP secret.

The PPPoE client functionality is turned off by default, so after VPDN configuration, enable PPPoE with the ip address if_name pppoe [setroute ] command. The setroute option causes a default route to be created if no default route exists.

As soon as PPPoE is configured, the security appliance attempts to find a PPPoE access concentrator with which to communicate. When a PPPoE connection is terminated, either normally or abnormally, the ASA attempts to find a new access concentrator with which to communicate.

The following ip address commands should not be used after a PPPoE session is initiated because they will terminate the PPPoE session:

• ip address outside pppoe , because it attempts to initiate a new PPPoE session.

• ip address outside dhcp , because it disables the interface until the interface gets its DHCP configuration.

• ip address outside address netmask , because it brings up the interface as a normally initialized interface.

Usage Guidelines

The vpdn username must be a username that is already associated with the VPDN group specified with the vpdn group group_name localname username command.

The clear configure vpdn username command removes all the vpdn username commands from the configuration.

Usage Guidelines

If you choose DHCP, you should also use the dhcp-network-scope command to define the range of IP addresses that the DHCP server can use. You must use the dhcp-server command to indicate the IP addresses that the DHCP server uses.

If you choose local, you must also use the ip-local-pool command to define the range of IP addresses to use. You then use the vpn-framed-ip-address and vpn-framed-netmask commands to assign IP addresses and netmasks to individual users.

With the local pool, you can use the reuse-delay delay option to adjust the delay before a released IP address can be reused. Increasing the delay prevents problems firewalls may experience when an IP address is returned to the pool and reassigned quickly.

If you choose AAA, you obtain IP addresses from either a previously configured RADIUS server.

Usage Guidelines

In flat backup mode, standby sessions are established on any other cluster member. This will protect users from blade failures, however, chassis failure protection is not guaranteed.

In remote-chassis backup mode standby sessions are established on a member of another chassis in the cluster. This will protect users from both blade failures and chassis failures.

If remote-chassis is configured in a single chassis environment (intentionally configured or the result of a failure), no backups will be created until another chassis joins.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

If you enter the vpnclient enable command, the supported ASA functions as an Easy VPN Remote hardware client.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

By default, the Easy VPN client and server encapsulate IPsec in User Datagram Protocol (UDP) packets. Some environments, such as those with certain firewall rules, or NAT and PAT devices, prohibit UDP. To use standard Encapsulating Security Protocol (ESP, Protocol 50) or Internet Key Exchange (IKE, UDP 500) in such environments, you must configure the client and the server to encapsulate IPsec within TCP packets to enable secure tunneling. If your environment allows UDP, however, configuring IPsec over TCP adds unnecessary overhead.

If you configure an ASA to use TCP-encapsulated IPsec, enter the following command to let it send large packets over the outside interface:

ciscoasa(config)# crypto ipsec df-bit clear-df outside
ciscoasa(config)#

This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN hardware client send packets that are larger than the MTU size.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

Devices such as Cisco IP phones, wireless access points, and printers are incapable of performing authentication, and therefore do not authenticate when individual unit authentication is enabled. If individual user authentication is enabled, you can use this command to exempt such devices from authentication. The exemption of devices from individual user authentication is also called “device pass-through.”

The format for specifying the MAC address and mask in this command uses three hex digits, separated by periods; for example, the MAC mask ffff.ffff.ffff matches just the specified MAC address. A MAC mask of all zeroes matches no MAC address, and a MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer.

Note	You must have Individual User Authentication and User Bypass configured on the headend device. For example, if you have the ASA as the headend, configure the following under group policy:ciscoasa(config-group-policy)# user-authentication enable ciscoasa(config-group-policy)# ip-phone-bypass enable

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

It assumes the ASA 5505 configuration contains the following commands:

• vpnclient server to specify the peer.

• vpnclient mode to specify the client mode (PAT) or network extension mode.

One of the following:

• vpnclient vpngroup to name the tunnel group and the IKE pre-shared key used for authentication on the Easy VPN server.

• vpnclient trustpoint to name the trustpoint identifying the RSA certificate to use for authentication

Note	The public address of an ASA behind a NAT device is inaccessible unless you add static NAT mappings on the NAT device.

Note	Regardless of your configuration, DHCP requests (including renew messages) should not flow over IPsec tunnels. Even with a vpnclient management tunnel, DHCP traffic is prohibited.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

The Easy VPN Client supports one of two modes of operation: client mode or NEM. The mode of operation determines whether the inside hosts, relative to the Easy VPN Client, are accessible from the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode.

• In client mode, the Easy VPN client performs port address translation (PAT) for all VPN traffic from its inside hosts. This mode requires no IP address management for either the inside address of the hardware client (which has a default RFC 1918 address assigned to it) or the inside hosts. Because of PAT, the inside hosts are not accessible from the enterprise network.

• In NEM, all nodes on the inside network and the inside interface are assigned addresses routable across the enterprise network. The inside hosts are accessible from the enterprise network over a tunnel. Hosts on the inside network are assigned IP addresses from an accessible subnet (statically or through DHCP). PAT is not applied to the VPN traffic when in network extension mode.

Note	If the Easy VPN hardware client is using NEM and has connections to secondary servers, use the crypto map set reverse-route command on each headend device to configure dynamic announcements of the remote network using Reverse Route Injection (RRI).

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

Before entering the vpnclient nem-st-autoconnect command, ensure that network extension mode is enabled for the hardware client. Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel. After the tunnel is up, either side can initiate data exchange.

Note	You must also configure the Easy VPN server to enable network extension mode. To do so, use the nem enable command in group-policy configuration mode.

IPsec data tunnels are automatically initiated and sustained when in network extension mode, except when split-tunneling is configured.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

A server must be configured before a connection can be established. The vpnclient server command supports IPv4 addresses, the names database, or DNS names and resolves addresses in that order.

You can use either the IP address or the hostname of a server.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

Use this command to enable Easy VPN server certificate filtering. You define the certificate map itself using the crypto ca certificate map and crypto ca certificate chain commands.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

Define the trustpoint using the crypto ca trustpoint command. A trustpoint represents a CA identity and possibly a device identity, based on a certificate issued by the CA. The commands within the trustpoint sub mode control CA-specific configuration parameters which specify how the ASA obtains the CA certificate, how the ASA obtains its certificate from the CA, and the authentication policies for user certificates issued by the CA.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

The XAUTH username and password parameters are used when secure unit authentication is disabled and the server requests XAUTH credentials. If secure unit authentication is enabled, these parameters are ignored, and the ASA prompts the user for a username and password.

Usage Guidelines

This command applies only to an ASA running as an Easy VPN Remote hardware client: ASA 5505 running releases 7.2(1) through 9.2, or ASA 5506 or 5508 models running release 9.5(1) or later.

Use the pre-shared key as the password.

You must also configure a server and specify the mode before establishing a connection.

Usage Guidelines

Clientless SSL VPN does not use the ACL defined in the vpn-filter command.

By design, the vpn-filter feature allows for traffic to be filtered in inbound direction only. The outbound rule is automatically compiled. When creating an icmp access-list, do not specify icmp type in the access-list formatting if you want directional filters.

The VPN filter applies to initial connections only. It does not apply to secondary connections, such as a SIP media connection, that are opened due to the action of application inspection.

Usage Guidelines

You can override the value of an attribute in a group policy for a particular user by configuring it in username mode, if that attribute is available in username mode.

Usage Guidelines

The Secure Client supports session resumption for SSL and IKEv2 connection. With this capability, end user devices can go into sleep mode, lose their WiFi, or any of the like and resume the same connection upon return.

Usage Guidelines

A load-balancing cluster can include security appliance models 5510 (with a Plus license), or ASA 5520 and above. You can also include VPN 3000 Series Concentrators in the cluster. While mixed configurations are possible, administration is generally simpler if the cluster is homogeneous.

Use the vpn load-balancing command to enter vpn load-balancing mode. The following commands are available in vpn load-balancing mode:

• cluster encryption

• cluster ip address

• cluster key

• cluster port

• interface

• nat

• participate

• priority

• redirect-fqdn

See the individual command descriptions for detailed information.

Usage Guidelines

This option allows inheritance of a value from another group policy. Enter 0 to disable login and prevent user access.

Note	While the maximum limit for the number of simultaneous logins is very large, allowing several simultaneous logins could compromise security and affect performance.

Stale AnyConnect, IPsec Client, or Clientless sessions (sessions that are terminated abnormally) might remain in the session database, even though a “new” session has been established with the same username.

If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal termination, then the stale session is removed from the database and the new session is established. If, however, the existing session is still an active connection and the same user logs in again, perhaps from another PC, the first session is logged off and removed from the database, and the new session is established.

If the number of simultaneous logins is a value greater than 1, then, when you have reached that maximum number and try to log in again, the session with the longest idle time is logged off. If all current sessions have been idle an equally long time, then the oldest session is logged off. This action frees up a session and allows the new login.

Once the maximum session limit is reached, it takes some time for the system to delete the oldest session. Thus, a user might not be able to immediately log on and might have to retry the new connection before it completes successfully. This should not be a problem if users log off their sessions as expected. You can optionally remove the delay by configuring the system to not wait for the deletion to complete and immediately allow the new user connection, using the vpn-simultaneous-login-delete-no-delay command.