Introduction

Sep 12, 2019 Due to a bug in Android 4.4 (Issue #61948, also see the Cisco Support Update), AnyConnect users will experience High Packet Loss over their VPN connection. This has been seen on the Google Nexus 5 running Android 4.4 with AnyConnect ICS+.

1. It used to work perfectly but not any more. I changed the APN settings to use IPv4 only and also IPv4/IPv6. Still not working. My laptop VPN works as expected using WiFi and Ethernet. Also I can browse the internet as expected using the HotSpot without the VPN. Phone is completely stock. Cisco Anyconnect version 3.1.
2. AnyConnect is an Android application that provides users with access to the AnyConnect VPN clusters. The ability to connect to VPNs is essential for Android devices, and AnyConnect is just one of the many solutions available.

This document describes VPN filters in detail and applies to LAN-to-LAN (L2L), the Cisco VPN Client, and the Cisco AnyConnect Secure Mobility Client.

Filters consist of rules that determine whether to allow or reject tunneled data packets that come through the security appliance, based on criteria such as source address, destination address, and protocol. You configure Access Control Lists (ACLs) in order to permit or deny various types of traffic. The filter can be configured on the group policy, username attributes, or Dynamic Access Policy (DAP).

DAP supersedes the value configured under both username attributes and group policy. The username attribute value supersedes the group policy value in case DAP does not assign any filter.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• L2L VPN tunnels configuration
• VPN Client Remote Access (RA) configuration
• AnyConnect RA configuration

Components Used

The information in this document is based on the Cisco 5500-X Series Adaptive Security Appliance (ASA) Version 9.1(2).

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information

The sysopt connection permit-vpn command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

A vpn-filter is applied to postdecrypted traffic after it exits a tunnel and to preencrypted traffic before it enters a tunnel. An ACL that isused for a vpn-filter should NOT also be used for an interface access-group.

When a vpn-filter is applied to a group-policy that governs Remote Access VPN client connections, the ACL should be configured with the client assigned IP addresses in the src_ip position of the ACL and the local network in the dest_ip position of the ACL. When a vpn-filter is applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.

Configure

VPN filters must be configured in inbound direction although rules are still applied bidirectionally. Enhancement CSCsf99428 has been opened to support unidirectional rules, but it has not yet been scheduled/committed for implementation.

Example 1. vpn-filter with AnyConnect or VPN Client

Assume that the client-assigned IP address is 10.10.10.1/24 and the local network is 192.168.1.0/24.

This Access Control Entry (ACE) allows the AnyConnect client to Telnet to the local network:

Download Cisco Vpn Android

Note: The ACE access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23 also allows the local network to initiate a connection to the RA client on any TCP port if it uses a source port of 23.

This ACE allows the local network to Telnet to the AnyConnect client:

Note: The ACE access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 eq 23 192.168.1.0 255.255.255.0 also allows the RA client to initiate a connection to the local network on any TCP port if it uses a source port of 23.

Caution: The vpn-filter feature allows for traffic to be filtered in the inbound direction only and the outbound rule is automatically compiled. Therefore, when you create an Internet Control Message Protocol (ICMP) access-list, do not specify the ICMP type in the access-list formatting if you want directional filters.

Example 2. vpn-filter with L2L VPN Connection

Assume that the remote network is 10.0.0.0/24 and the local network is 192.168.1.0/24.

This ACE allows the remote network to Telnet to the local network:

Note: The ACE access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 23 also allows the local network to initiate a connection to the remote network on any TCP port if it uses a source port of 23.

This ACE allows the local network to Telnet to the remote network:

Note: The ACE access-list vpnfilt-l2l permit tcp 10.0.0.0 255.255.255.0 eq 23 192.168.1.0 255.255.255.0 also allows the remote network to initiate a connection to the local network on any TCP port if it uses a source port of 23. Rdr for mac os.

Caution: The vpn-filter feature allows for traffic to be filtered in the inbound direction only and the outbound rule is automatically compiled. Therefore, when you create an ICMP access-list, do not specify the ICMP type in the access-list formatting if you want directional filters.

VPN Filters and per-user-override access-groups

VPN traffic is not filtered by interface ACLs. The command no sysopt connection permit-vpn can be used in order to change the default behavior. In this case, two ACLs can be applied to user traffic: the interface ACL is checked first and then the vpn-filter.

The per-user-override keyword (for inbound ACLs only) allows dynamic user ACLs that are downloaded for user authorization in order to override the ACL assigned to the interface. For example, if the interface ACL denies all traffic from 10.0.0.0, but the dynamic ACL permits all traffic from 10.0.0.0, then the dynamic ACL overrides the interface ACL for that user and traffic is permitted.

Examples (when no sysopt connection permit-vpn is configured):

• no per-user-override, no vpn-filter - traffic is matched against the interface ACL
  
• no per-user-override, vpn-filter - traffic is matched first against the interface ACL, then against the vpn-filter
  
• per-user-override, vpn-filter - traffic is matched against the vpn-filter only

Verify

Use this section in order to confirm that your configuration works properly. High resolution games for mac.

The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.

• show asp table filter [access-list <acl-name>] [hits]
  In order to debug the accelerated security path filter tables, use the show asp table filter command in privileged EXEC mode. When a filter has been applied to a VPN tunnel, the filter rules are installed into the filter table. If the tunnel has a filter specified, then the filter table is checked prior to encryption and after decryption in order to determine whether the inner packet should be permitted or denied.
  
• clear asp table filter [access-list <acl-name>]
  This command clears the hit counters for the ASP filter table entries.
  

Troubleshoot

This section provides information you can use in order to troubleshoot your configuration.

The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.

Note: Refer to Important Information on Debug Commands before you use debug commands.

• debug acl filter
  This command enables VPN filter debugging. It can be used to help troubleshooting installations/removal of the VPN filters into the ASP Filter table. For the Example 1. vpn-filter with AnyConnect or VPN Client.
  Debug output when user1 connects:
  Debug output when user2 connects (after user1 and the same filter):
  Debug output when user2 disconnects:
  Debug output when user1 disconnects:
  
• show asp table
  Here is the output of show asp table filter prior to when user1 connects. Only the implicit deny rules are installed for IPv4 and IPv6 in both in and out directions.
  

Follow the steps below to install and configure Cisco AnyConnect on an Android device.

Due to differences in Android devices, your steps may differ slightly.

Install Cisco AnyConnect

Cisco Vpn Android

1. Connect your Android device to the Internet.
2. Go to the Google Play store.
3. Search for AnyConnect.
4. Select AnyConnect from the search results and click Install.
5. If prompted to accept permissions, click Accept & download.
6. The application will download and install.

Configure Cisco AnyConnect

This activity requires an active dCloud session. Before you begin, schedule a session and wait for the session status to become Active.

1. Connect your Android device to the Internet.
2. Using a browser on your Android device, open http://dcloud.cisco.com, select the dCloud location nearest to you, and log in with your Cisco.com credentials.
3. In dCloud, go to My Hub > Sessions, locate your active session, and then click View.
4. Open Details > Session Details to view the AnyConnect credentials for the session. Note the host URL, a user ID, and the password.
5. Launch AnyConnect on the Android device.
6. Tap Add New VPN Connection .
7. Tap Server Address, enter the host URL from the AnyConnect credentials in the Server Address field, tap OK and, then tap Done.

Cisco Anyconnect Download

8. Tap the name of the new connection you created.
9. Enter a user ID (Username) and the password from the AnyConnect credentials and then tap OK.

Cisco Vpn Client Download

10. The device will connect to dCloud.
11. Notification in the AnyConnect application screen that AnyConnect VPN is Connected and On confirms your successful connection to dCloud.