Cisco ASA Anyconnect VPN per Device IPSECv2 tunnels using certificates – no failover

After we upgraded from Windows XP to Windows 7 we started getting problems with VPN users not being able to connect or weird things happening (random re-boots!).

We then discovered that Cisco did not support the VPN Client using IPSEC tunnels in Windows 7! We apparently had to use the new Anyconnect VPN tunnels and client software.

Our VPN setup is rather different to the standard VPN setup – most IT Managers setup their VPN on a per user basis (particularly with the newer SSL VPNs). That’s all well and good but what happens if they have been using a communal laptop on the road – we have several laptops that are held as a pool for use by anyone. Our staff logon to these laptops as a standard user called ‘User’ and then connect to the company with VPN using their network username and password. What happens if the laptop is lost or stolen? You have no means of revoking access to the VPN for that laptop. This scenario extends to home users as well who may have had their desktop computer stolen in a house robbery. And, most importantly, this scenario is also relevant for mobile devices which we are increasingly connecting to the VPN system.

Rather than live with this problem we prefer to create a separate tunnel group for each device with its own IPSEC shared secret password. When we are notified we can then delete that tunnel group and know without doubt that the device cannot be used to access our network. We are effectively creating a 2 factor authentication solution – something the user has (a company approved device) and something they know (their username and password). This system also has the added advantage of locking down VPN access to company approved devices only – vitally important to keep the nasties out of your company network.

For our VPN system we have 2 Cisco ASA units working in Active/Standby mode – if one unit fails or is brought down for maintenance the other unit automatically kicks in. On Cisco ASA units with the most up to date software the VPN tunnels do not disconnect when this failover occurs, all IPSEC VPN tunnels stay up. This is a fantastic feature for when we need to update software on the ASAs – we can simply failover and work on the inactive unit without having to inform VPN users, then failback and work on the other unit in the same way – no downtime whatsoever. In addition our 2 units are in different geographic locations with a good point to point link between them. This all provides a very robust service – something we really need with so many users these days on the road or home working in various parts of the world.

Therefore, we wanted to replicate this system with the Anyconnect VPN solution and not suffer the problems with the incompatible VPN client software in Windows 7. But we soon came across a major problem.

Anyconnect VPN relies on IKEv2 or SSL which both require the use of certificates from a certificate authority (CA) rather than shared secrets. This is fine as the Cisco ASA contains a CA server component which you can set up to serve certificates to the VPN tunnel groups. Devices then use a separate certificate according to their device tunnel group. We tested this setup on a lone Cisco ASA 5505 unit before moving the configuration to our production ASA 5510 units that are in Active/Standby mode.

And that’s when the problem became apparent – the Cisco ASA software does not support a Certificate Authority on ASA units setup as Active/Standby units. The only suggestion Cisco could make was to use a Windows based certificate authority but that meant extra servers being tied up as CA servers with failover setup between the 2 – not trivial!

In the end we had to give up. As it turned out, Cisco recognised this as a bug which is still active awaiting resolution see: (You will need a Cisco support username to view this).

In the meantime they did update their IPSECv1 based VPN client to support Windows 7 so we have happily been using that without any problems (current version: with our IPSECv1 per device VPN setup. However, Cisco have stated that the VPN Client is end of life and will no longer be updated. They recommend you use the Anyconnect client instead – useless advice as we can’t use that becuase of the CA server failover problem!

Author: James

IT Manager - Network, Web coding, MS SQL and Online Mapping expert

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: