Configure AnyConnect Management VPN Tunnel on ASA

Introduction

This document describes configuring ASA as the VPN gateway accepts connections from AnyConnect Secure Mobility Client through Management VPN tunnel.

prerequisite

Requirements

Cisco recommends that you have knowledge of these topics:

• VPN configuration through   Adaptive Security Device Manager ( ASDM )
• Basic Adaptive Security Appliance (ASA) CLI Configuration
• X509 Certificates

Components Used

The information in this document is base on these software and hardware version :

• Cisco ASA software version 9.12(3)9
• Cisco ASDM software version 7.12.2
• Windows 10 with Cisco AnyConnect Secure Mobility Client version 4.8.03036

note :   download the AnyConnect VPN web deploy package (anyconnect-win*.pkg or anyconnect-macos*.pkg) from the Cisco Software Download (registered customers only). Copy the AnyConnect VPN client to the flash memory of the ASA that is to be downloaded to the remote user computers to establish the SSL VPN connection with the ASA. Refer to Installing the AnyConnect Client section of the ASA configuration guide for more information.

The information in this document was create from the device in a specific lab environment . All is started of the device used in this document start with a clear ( default ) configuration . If your network is live , ensure that you understand the potential impact of any command .

Background Information

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefit from this feature.

AnyConnect Management Tunnel is allows allow administrator to have AnyConnect connect without user intervention prior to when the user log in . AnyConnect Management tunnel is work can work in conjunction with Trusted Network Detection and therefore is trigger only when the endpoint is off – premise and disconnect from a User – initiate VPN . AnyConnect Management tunnel is is is transparent to the end user and disconnect automatically when the user initiate VPN .

OS / application	Minimum Version Requirements
ASA	9.0.1
ASDM	7.10.1
Windows AnyConnect Version	4.7.00136
macOS AnyConnect Version	4.7.01076
Linux	Unsupported

Working of Management Tunnel

AnyConnect VPN agent service is automatically start upon system boot – up . It detect that the management tunnel feature is enable ( via the management VPN profile ) , therefore it is launches launch the management client application to initiate a management tunnel connection . The management client application is uses use the host entry from the management VPN profile to initiate the connection . Then the VPN tunnel is establish as usual , with one exception : no software update is perform during a management tunnel connection since the management tunnel is mean to be transparent to the user .

The user is initiates initiate a VPN tunnel via the AnyConnect UI , which trigger the management tunnel termination . Upon management tunnel termination , the user tunnel establishment is continues continue as usual .

The user disconnects the VPN tunnel, which triggers the automatic re-establishment of the management tunnel.

Limitations

• User interaction is not supported
• Certificate-based authentication through Machine Certificate Store (Windows) is only supported
• Strict Server Certificate checking is enforced
• A private proxy is not supported
• A public proxy is not supported (ProxyNative value is supported on platforms where Native Proxy settings are not retrieved from the browser)
• AnyConnect Customization Scripts are not supported

Note: For more information, refer to About the Management VPN Tunnel.

Configure

This section is describes describe how to configure the Cisco ASA as the vpn gateway to accept connection from AnyConnect client through the Management VPN tunnel .

Configuration on ASA through ASDM/CLI

Step 1. Create the AnyConnect Group Policy. Navigate to  Configuration > Remote Access VPN > Network (Client) Access > Group Policies. click   add.

Note: It is advisable to create a new AnyConnect Group Policy which is used for the AnyConnect Management tunnel only.

Step 2. Provide a  Name for the Group Policy. Assign/Create an  address Pool. Choose  Tunneling Protocols as  SSL VPN Client and/or  IPsec IKEv2, as show in the image .

Step 3. Navigate to  Advanced > Split Tunneling. Configure the  Policy as  Tunnel Network List Below  and choose the   Network List, as show in the image .

Note: If a client address is not pushed for both IP protocols (IPv4 and IPv6), the  Client Bypass Protocol  setting is be must be  enable so that the traffic that corresponds is not disrupted by the management tunnel. To configure, refer to Step 4.

step 4 .   navigate to   Advanced > AnyConnect Client. Set  Client Bypass Protocol to  enable. click   OK  to save , as show in the image .

step 5 . As show in this image , click   apply to push the configuration to the ASA.

CLI Configuration for Group Policy:

ip local pool VPN_Pool 192.168.10.1-192.168.10.100 mask 255.255.255.0
! 
 access - list is permit VPN - Split standard permit 172.16.0.0 255.255.0.0
!
group-policy AnyConnect_MGMT_Tunnel internal
group-policy AnyConnect_MGMT_Tunnel attributes
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-network-list value VPN-Split
 client-bypass-protocol enable
 address-pools value VPN_Pool

Step 6. Create the AnyConnect Connection Profile. Navigate to  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profile. click   add.

note :   It is is is advisable to create a new AnyConnect Connection Profile which is used for the AnyConnect Management tunnel only .

Step 7. Provide a  Name for the Connection Profile, and set  authentication Method as  Certificate only. choose the   Group Policy as the one created in Step 1.

note :   ensure that the Root certificate from Local CA is present on the ASA .   navigate to   Configuration > Remote Access VPN > Certificate Management > CA Certificates  to add/view the certificate.

Note: Ensure that an Identity certificate issued by the same Local CA exists in the Machine Certificate Store (For Windows) and/or in System Keychain (For macOS).

Step 8. Navigate to  Advanced > Group Alias/Group URL. click   add under  Group URLs  and   add an   URL. Ensure  enabled is checked. click OK  to save , as show in the image .

If IKEv2 is used, ensure  IPsec (IKEv2) Access is enable on the interface used for AnyConnect.

Step 9. click  apply   to push the configuration to the ASA .

CLI configuration for connection profile ( tunnel – group ):

tunnel - group AnyConnect_MGMT_Tunnel type remote - access 
 tunnel - group AnyConnect_MGMT_Tunnel general - attribute 
  default - group - policy AnyConnect_MGMT_Tunnel 
 tunnel - group AnyConnect_MGMT_Tunnel webvpn - attribute 
  authentication certificate 
  group - url https://asa.example.com/AnyConnect_MGMT_Tunnel is enable enable

Step 10 . ensure that a trust certificate is instal on the ASA and bind to the interface used for AnyConnect connection . navigate to   Configuration > Remote Access VPN > Advanced > SSL Settings to add/view this setting.

Note: Refer to Installation of Identity Certificate on ASA.

CLI Configuration for SSL Trustpoint:

ssl trust-point ROOT-CA outside

Creation of AnyConnect Management VPN Profile

Step 1. Create the AnyConnect Client Profile. Navigate to  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. click   add, as show in the image .

Step 2. Provide a  Profile Name. choose the   Profile Usage as  AnyConnect Management VPN profile. choose the   Group Policy created in Step 1. click   OK , as show in the image .

step 3 . choose the Profile create and click   Edit , as show in the image .

Step 4. Navigate to  Server List. click   add  to add a new Server List Entry , as show in the image .

Step 5. Provide a  Display Name. add the  FQDN/IP address of the ASA. Provide the  User Group  as the tunnel group name .   Group URL  is automatically populated with the  FQDN and  User Group. click   OK.

Note: The FQDN/IP address + User Group must be the same as the Group URL mentioned during the configuration of the AnyConnect Connection Profile in Step 8.

note :   AnyConnect with ikev2 as a protocol can also be used to establish Management VPN to ASA . ensure   Primary Protocol  is set to   IPsec in Step 5.

Step 6. As shown in the image, click  OK to Save.

Step 7. click   apply to push the configuration to the ASA, as show in the image .

CLI Configuration after the addition of AnyConnect Management VPN Profile.

webvpn is enable 
  enable outside 
  hst 
   enable 
   max - age 31536000 
   include - sub - domain 
   no preload 
  no anyconnect - essential 
  anyconnect image disk0:/anyconnect - win-4.8.02045 - webdeploy - k9.pkg 1 
  anyconnect profile AnyConnect_MGMT_Profile disk0:/anyconnect_mgmt_profile.vpnm 
  anyconnect enable 
  tunnel - group - list enable 
  cache 
   disable 
  error - recovery disable 
 ! 
 group - policy AnyConnect_MGMT_Tunnel internal 
 group - policy AnyConnect_MGMT_Tunnel attribute 
  vpn - tunnel - protocol ikev2 ssl - client 
  split - tunnel - network - list value VPN - Split 
  client - bypass - protocol enable 
  address - pool value vpn_pool 
  webvpn 
   anyconnect profile value anyconnect_mgmt_profile type vpn - mgmt

AnyConnect Management VPN Profile on AnyConnect Client Machine:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>Machine</CertificateStore>
		<CertificateStoreMac>System</CertificateStoreMac>
		<CertificateStoreOverride>true</CertificateStoreOverride>
		<ProxySettings>IgnoreProxy</ProxySettings>
		<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
		<AuthenticationTimeout>30</AuthenticationTimeout>
		
--- Output is Omitted omit ---

		<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
		<AllowManualHostInput>false</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>AnyConnect_MGMT_Tunnel</HostName>
			<Hostaddress>asa.example.com</Hostaddress>
			<UserGroup>AnyConnect_MGMT_Tunnel</UserGroup>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

Note: If Trusted Network Detection (TND) is used in the User AnyConnect VPN profile, it is advisable to match the same settings in the Management VPN Profile for a consistent user experience. The management VPN tunnel is triggered based on the TND settings applied to the User VPN tunnel profile. additionally, the TND Connect action in the management VPN profile (enforced only when the management VPN tunnel is active), always applies to the user VPN tunnel, to ensure that the management VPN tunnel is transparent to the end user.

Note: On any end-user PC, if the Management VPN profile has the TND settings enable and if the user VPN profile is missing, it considers the default preferences settings for the TND (it is disabled on the default preferences in the AC client application) in place of missing user VPN profile. This mismatch can lead to unexpected/undefined behavior.
By default , TND setting are disabled in the default preference .
To overcome the default preferences hardcoded settings in the AnyConnect Client application, the end-user PC must have two VPN profiles, a user VPN profile & an AC Management VPN profile, and both of them must have the same TND settings.
The logic is is behind Management VPN tunnel connection and disconnection is that to   establish a Management VPN tunnel , the AC agent use the user VPN profile TND setting and for disconnection of the Management VPN tunnel , it check for management VPN profile TND setting .

Deployment Methods for AnyConnect Management VPN Profile

• A successful User VPN connection is completed with the ASA Connection Profile in order to download the AnyConnect Management VPN Profile from the VPN Gateway.

Note: If the protocol used for the Management VPN tunnel is IKEv2, the first connection is needed to be established through SSL (In order to download the AnyConnect Management VPN profile from the ASA).

(Optional) Configure a Custom Attribute to Support Tunnel-All Configuration

Management VPN tunnel requires a split that includes tunneling configuration, by default, to avoid an impact on the user-initiated network communication. This can be overridden when you configure the custom attribute in the group policy used by the management tunnel connection.

step 1 . navigate toConfiguration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes. click   add, as show in the image .

step   2 . set the custom attribute   Type to   managementtunnelallallowe   and provide a  description. click   OK, as show in the image .

Step 3. Navigate to  Configuration > Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names. click   add, as show in the image .

step 4 . choose the   type as   managementtunnelallallowe . Set the Name as  true. click   addto provide a custom attribute value, as show in the image .

Step 5. Set the Value as  true. click  OK, as show in the image .

Step 6. Navigate to  Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Choose the Group Policy. click   Edit , as show in the image .

step 7 . As show in this image ,   navigate to   Advanced > Split Tunneling. Configure the Policy as  Tunnel All Networks.

Step 8. Navigate to  Advanced > Anyconnect Client > Custom Attributes. click   add, as show in the image .

Step 9. Choose the Attribute type as  managementtunnelallallowe   and choose the value as  true. click  OK, as show in the image .

Step 10. click   apply to push the configuration to the ASA, as show in the image .

CLI Configuration after the   managementtunnelallallowe  Custom Attribute is add :

webvpn
 enable outside
 anyconnect-custom-attr managementtunnelallallowe description managementtunnelallallowe
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 no anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1
 anyconnect profiles AnyConnect_MGMT_Profile disk0:/anyconnect_mgmt_profile.vpnm
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
!
anyconnect-custom-data managementtunnelallallowe true true
!
group-policy AnyConnect_MGMT_Tunnel internal
group-policy AnyConnect_MGMT_Tunnel attributes
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelall
 client-bypass-protocol enable
 address-pools value VPN_Pool
 anyconnect-custom managementtunnelallallowe value true
 webvpn
  anyconnect profiles value AnyConnect_MGMT_Profile type vpn-mgmt

verify

verify the Management VPN tunnel connection on ASA CLI with the  show vpn-sessiondb detail anyconnect  command .

ASA # is show show vpn - sessiondb detail anyconnect 

 Session Type : AnyConnect Detailed 

 Username      : vpnuser                 Index         : 10 
 assign IP   : 192.168.10.1            public ip     : 10.65.84.175 
 Protocol      : AnyConnect - Parent SSL - Tunnel DTLS - Tunnel 
 License       : AnyConnect Premium 
 Encryption    : AnyConnect - Parent : ( 1)none   SSL - Tunnel : ( 1)AES - GCM-256   DTLS - Tunnel : ( 1)AES - GCM-256 
 Hashing       : AnyConnect - Parent : ( 1)none   SSL - Tunnel : ( 1)SHA384   DTLS - Tunnel : ( 1)SHA384 
 Bytes Tx      : 17238                   Bytes Rx      : 1988 
 Pkts Tx       : 12                      Pkts Rx       : 13 
 Pkts Tx drop : 0                       Pkts Rx drop : 0 
 Group Policy : AnyConnect_MGMT_Tunnel Tunnel Group : AnyConnect_MGMT_Tunnel 
 Login Time    : 01:23:55 UTC Tue Apr 14 2020 
 duration      : 0h:11m:36s 
 Inactivity    : 0h:00m:00s 
 VLAN Mapping : N / A                     VLAN          : none 
 Audt Sess ID : c0a801010000a0005e9510ab 
 Security Grp : none                   

 AnyConnect - Parent Tunnels : 1 
 SSL - Tunnel Tunnels : 1 
 DTLS - Tunnel Tunnels : 1

--- Output is Omitted omit ---

DTLS-Tunnel:
  Tunnel ID    : 10.3
  Assigned IP  : 192.168.10.1           Public IP    : 10.65.84.175
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                     
  Encapsulation: DTLSv1.2               UDP Src Port : 57053                  
  UDP Dst Port : 443                    Auth Mode    : Certificate            
  Idle Time Out: 30 Minutes             Idle TO Left : 18 Minutes             
  Client OS    : Windows                
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.8.03036
  Bytes Tx     : 17238                      Bytes Rx     : 1988                      
  Pkts Tx      : 12                         Pkts Rx      : 13                      
  Pkts Tx Drop : 0                          Pkts Rx Drop : 0                      

verify the Management VPN tunnel connection on ASDM.

Navigate to  Monitoring > VPN > VPN Statistics > Sessions . Filter By  AnyConnect Client  to see the client session.

Verification of the Management VPN tunnel connection on the Client Machine:

Troubleshoot

The new UI Statistics line (Management Connection State) can be used to troubleshoot management tunnel connectivity issues. These are the commonly seen error states:

disconnected ( disabled ):

• The feature is disabled.
• Ensure that the management VPN profile was deployed to the client, via user tunnel connection (requires you to add the management VPN profile to the user tunnel-group policy) or out of band through the manual upload of the profile.
• ensure that the management VPN profile is configure with a single host entry that include a tunnel group .

Disconnected (trusted network):

• TND detected a trusted network so the management tunnel is not established.

Disconnected (user tunnel active):

• A user VPN tunnel is currently active.

disconnected ( process launch is failed fail ):

• A process launch failure was encounter when the management tunnel connection is attempt .

Disconnected is failed ( connect is failed fail ):

•  A connection failure was encountered when the management tunnel is established.
• Ensure that the certificate authentication is configured in the tunnel group, no banner is present in the group policy, and the server certificate must be trusted.

disconnected ( invalid VPN configuration ):

• An invalid split tunneling or client-bypass-protocol configuration was received from the VPN server.
• Check your configuration in the management tunnel-group policy against the documentation.

Disconnected (software update pending):

• An AnyConnect software update is is is currently pende .

Disconnected:

• The management tunnel is about to be established or can not be established for some other reason.

collect DART for further troubleshooting .

relate Information