Enabling Permanent Client Installation; Configuring Dtls - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 38
Configuring AnyConnect VPN Client Connections
Enabling Permanent Client Installation
Enabling permanent client installation disables the automatic uninstalling feature of the client. The client
remains installed on the remote computer for subsequent connections, reducing the connection time for
the remote user.
To enable permanent SVC installation for a specific group or user, use the svc keep-installer command
from group-policy or username webvpn modes:
The default is that permanent installation of the client is disabled. The client on the remote computer
uninstalls at the end of every session. The following example configures the existing group-policy sales
to keep the client installed on the remote computer:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# svc keep-installer installed
Configuring DTLS
Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN
connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids
latency and bandwidth problems associated with SSL connections and improves the performance of
real-time applications that are sensitive to packet delays.
By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS,
SSL VPN connections connect with an SSL VPN tunnel only.
In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you
Note
do not enable DPD, and the DTLS connection experiences a problem, the connection terminates instead
of falling back to TLS. For more information on enabling DPD, see
Detection, page 38-13
You can disable DTLS for all AnyConnect client users with the enable command tls-only option in
webvpn configuration mode:
For example:
hostname(config-webvpn)# enable outside tls-only
By default, DTLS is enabled for specific groups or users with the svc dtls enable command in group
policy webvpn or username webvpn configuration mode:
If you need to disable DTLS, use the no form of the command. For example:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# no svc dtls enable
OL-12172-03
svc keep-installer installed
enable <interface> tls-only
[no] svc dtls enable
Cisco Security Appliance Command Line Configuration Guide
Enabling Permanent Client Installation
Enabling and Adjusting Dead Peer
38-5
Advertisement
Table of Contents
Troubleshooting
