Configure AnyConnect Management VPN Tunnel on ASA (2024)

Introduction

This document describes configuring ASA as the VPN gateway accepts connections from AnyConnect Secure Mobility Client through Management VPN tunnel.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• VPN configuration throughAdaptive Security Device Manager (ASDM)
• Basic Adaptive Security Appliance (ASA) CLI Configuration
• X509 Certificates

Components Used

The information in this document is based on these software and hardware versions:

• Cisco ASA software version 9.12(3)9
• Cisco ASDM software version 7.12.2
• Windows 10 with Cisco AnyConnect Secure Mobility Client version 4.8.03036

Note:Download the AnyConnect VPN Web deploy package (anyconnect-win*.pkg or anyconnect-macos*.pkg) from the Cisco Software Download(registered customers only). Copy the AnyConnect VPN client to the flash memory of the ASA that is to be downloaded to the remote user computers to establish the SSL VPN connection with the ASA. Refer toInstalling the AnyConnect Clientsection of the ASA configuration guide for more information.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefit from this feature.

AnyConnect Management Tunnel allows administrators to have AnyConnect connected without user intervention prior to when the user logs in. AnyConnect Management tunnel can work in conjunction with Trusted Network Detection and therefore is triggered only when the endpoint is off-premise and disconnected from a User-initiated VPN. AnyConnect Management tunnel is transparent to the end user and disconnects automatically when the user initiates VPN.

Working of Management Tunnel

AnyConnect VPN agent service is automatically started upon system boot-up. It detects that the management tunnel feature is enabled (via the management VPN profile), therefore it launches the management client application to initiate a management tunnel connection. The management client application uses the host entry from the management VPN profile to initiate the connection. Then the VPN tunnel is established as usual, with one exception: no software update is performed during a management tunnel connection since the management tunnel is meant to be transparent to the user.

The user initiates a VPN tunnel via the AnyConnect UI, which triggers the management tunnel termination. Upon management tunnel termination, the user tunnel establishment continues as usual.

The user disconnects the VPN tunnel, which triggers the automatic re-establishment of the management tunnel.

Limitations

• User interaction is not supported
• Certificate-based authentication through Machine Certificate Store (Windows) is only supported
• Strict Server Certificate checking is enforced
• A private proxy is not supported
• A public proxy is not supported (ProxyNative value is supported on platforms where Native Proxy settings are not retrieved from the browser)
• AnyConnect Customization Scripts are not supported

Note:For more information, refer toAbout the Management VPN Tunnel.

Configure

This section describes how to configure the Cisco ASA as the VPN gateway to accept connections from AnyConnect clients through the Management VPN tunnel.

Configuration on ASA through ASDM/CLI

Step 1. Create the AnyConnect Group Policy. Navigate toConfiguration > Remote Access VPN > Network (Client) Access > Group Policies. ClickAdd.

Note:It is advisable to create a new AnyConnect Group Policy which isused for the AnyConnect Management tunnel only.

Step 2. Provide aNamefor the Group Policy. Assign/Create anAddress Pool. ChooseTunneling ProtocolsasSSL VPN Clientand/orIPsec IKEv2, as shown in the image.

Step 3.Navigate toAdvanced > Split Tunneling. Configure thePolicyasTunnel Network List Belowand choose theNetwork List, as shown in the image.

Note:If a client address is not pushed for both IP protocols (IPv4 and IPv6),the Client Bypass Protocolsetting must beenabledso that the traffic thatcorresponds is not disrupted by the management tunnel. To configure, refer to Step 4.

Step 4.Navigate toAdvanced > AnyConnect Client.SetClient Bypass ProtocoltoEnable.ClickOKto Save, as shown in the image.

Step 5. As shown in this image, clickApplyto push the configuration to the ASA.

ip local pool VPN_Pool 192.168.10.1-192.168.10.100 mask 255.255.255.0
!access-list VPN-Split standard permit 172.16.0.0 255.255.0.0 
!group-policy AnyConnect_MGMT_Tunnel internalgroup-policy AnyConnect_MGMT_Tunnel attributes vpn-tunnel-protocol ikev2 ssl-client split-tunnel-network-list value VPN-Split client-bypass-protocol enable address-pools value VPN_Pool

Step 6. Create the AnyConnect Connection Profile. Navigate toConfiguration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profile.ClickAdd.

Note:It is advisable to create a new AnyConnect Connection Profile which is used for the AnyConnect Management tunnel only.

Step 7. Provide aNamefor the Connection Profile, and setAuthentication MethodasCertificate only. Choose theGroup Policyas the one created in Step 1.

Note:Ensure that the Root certificate from Local CA is present on the ASA.Navigate toConfiguration > Remote Access VPN > Certificate Management > CA Certificatesto add/view the certificate.

Note:Ensure that an Identity certificate issued by the same Local CA exists in the Machine Certificate Store (For Windows) and/or in System Keychain (For macOS).

Step 8. Navigate toAdvanced > Group Alias/Group URL. ClickAddunderGroup URLsandadd anURL. EnsureEnabledis checked. Click OKto Save, as shown in the image.

If IKEv2 is used, ensureIPsec (IKEv2) Accessis enabled on the interface used for AnyConnect.

Step 9. Click Applyto push the configuration to the ASA.

tunnel-group AnyConnect_MGMT_Tunnel type remote-accesstunnel-group AnyConnect_MGMT_Tunnel general-attributes default-group-policy AnyConnect_MGMT_Tunneltunnel-group AnyConnect_MGMT_Tunnel webvpn-attributes authentication certificate group-url https://asa.example.com/AnyConnect_MGMT_Tunnel enable

Step 10. Ensure that a trusted certificate is installed on the ASA and bound to the interface used for AnyConnect connections. Navigate toConfiguration > Remote Access VPN > Advanced > SSL Settingsto add/view this setting.

Note: Refer toInstallation of Identity Certificate on ASA.

ssl trust-point ROOT-CA outside

Creation of AnyConnect Management VPN Profile

Step 1.Create the AnyConnect Client Profile. Navigate toConfiguration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile. ClickAdd, as shown in the image.

Step 2. Provide aProfile Name. Choose theProfile UsageasAnyConnect Management VPN profile. Choose theGroup Policycreated in Step 1. ClickOK, as shown in the image.

Step 3. Choose the Profile created and clickEdit, as shown in the image.

Step 4. Navigate toServer List. ClickAddto add a new Server List Entry, as shown in the image.

Step 5. Provide aDisplay Name. Add theFQDN/IP addressof the ASA. Provide theUser Groupas the tunnel group name. Group URLisautomatically populated with theFQDNandUser Group. ClickOK.

Note:The FQDN/IP Address + User Group must be the same as the Group URL mentioned during the configuration of the AnyConnect Connection Profile inStep 8.

Note:AnyConnect with IKEv2 as a protocol can also be used to establish Management VPN to ASA. EnsurePrimary Protocolis set toIPsecin Step 5.

Step 6. As shown in the image, clickOKto Save.

Step 7. ClickApplyto push the configuration to the ASA, as shown in the image.

webvpn enable outside hsts enable max-age 31536000 include-sub-domains no preload no anyconnect-essentials anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1 anyconnect profiles AnyConnect_MGMT_Profile disk0:/anyconnect_mgmt_profile.vpnm anyconnect enable tunnel-group-list enable cache disable error-recovery disable!group-policy AnyConnect_MGMT_Tunnel internalgroup-policy AnyConnect_MGMT_Tunnel attributes vpn-tunnel-protocol ikev2 ssl-client split-tunnel-network-list value VPN-Split client-bypass-protocol enable address-pools value VPN_Pool webvpn anyconnect profiles value AnyConnect_MGMT_Profile type vpn-mgmt

<?xml version="1.0" encoding="UTF-8"?><AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"><ClientInitialization><UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon><AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection><ShowPreConnectMessage>false</ShowPreConnectMessage><CertificateStore>Machine</CertificateStore><CertificateStoreMac>System</CertificateStoreMac><CertificateStoreOverride>true</CertificateStoreOverride><ProxySettings>IgnoreProxy</ProxySettings><AllowLocalProxyConnections>true</AllowLocalProxyConnections><AuthenticationTimeout>30</AuthenticationTimeout>
--- Output Omitted ---
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover><AllowManualHostInput>false</AllowManualHostInput></ClientInitialization><ServerList><HostEntry><HostName>AnyConnect_MGMT_Tunnel</HostName><HostAddress>asa.example.com</HostAddress><UserGroup>AnyConnect_MGMT_Tunnel</UserGroup></HostEntry></ServerList></AnyConnectProfile>

Note:If Trusted Network Detection (TND) is used in the User AnyConnect VPN profile, it is advisable to match the same settings in the Management VPN Profile for a consistent user experience. The management VPN tunnel is triggered based on the TND settings applied to the User VPN tunnel profile.Additionally, the TND Connect action in the management VPN profile (enforced only when the management VPN tunnel is active), always applies to the user VPN tunnel, to ensure that the management VPN tunnel is transparent to the end user.

Note:On any end-user PC, if the Management VPN profile has the TND settings enabled and if the user VPN profile is missing, it considers the default preferences settings for the TND (it is disabled on the default preferences in the AC client application) in place of missing user VPN profile. This mismatch can lead to unexpected/undefined behavior.
By default, TND settings are disabled in the default preferences.
To overcome the default preferences hardcoded settings in the AnyConnect Client application, the end-user PC must have two VPN profiles, a user VPN profile & an AC Management VPN profile, and both of them must have the same TND settings.
The logic behind Management VPN tunnel connection and disconnection is that toestablish a Management VPN tunnel, the AC agent uses the user VPN profile TND settings and for disconnection of the Management VPN tunnel, it checks for management VPN profile TND settings.

Deployment Methods for AnyConnect Management VPN Profile

• A successful User VPN connection is completed with the ASA Connection Profile in order to download the AnyConnect Management VPN Profile from the VPN Gateway.

Note:If the protocol used for the Management VPN tunnel is IKEv2, the first connection is needed to be established through SSL (In order to download the AnyConnect Management VPN profile from the ASA).

• The AnyConnect Management VPN Profile can be manually uploaded to the client machines either through a GPO push or by manual installation (Ensure the name of the profile isVpnMgmtTunProfile.xml).
  
  Location of Folder where the profile needs to be added:
  Windows:C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\MgmtTun
  macOS:/opt/cisco/anyconnect/profile/mgmttun/

(Optional) Configure a Custom Attribute to Support Tunnel-All Configuration

Management VPN tunnel requires a split that includes tunneling configuration, by default, to avoid an impact on the user-initiated network communication. Thiscan be overridden when you configure the custom attribute in the group policy used by the management tunnel connection.

Step 1. Navigate toConfiguration>Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attributes.ClickAdd, as shown in the image.

Step2. Set the custom attributeType toManagementTunnelAllAllowedand provide aDescription. ClickOK, as shown in the image.

Step 3.Navigate toConfiguration>Remote Access VPN > Network (Client) Access > Advanced > AnyConnect Custom Attribute Names. ClickAdd, as shown in the image.

Step 4. Choose theType asManagementTunnelAllAllowed.Set theName astrue. ClickAddto provide a custom attribute value, as shown in the image.

Step 5. Set theValue astrue. Click OK, as shown in the image.

Step 6. Navigate toConfiguration > Remote Access VPN > Network (Client) Access > Group Policies. Choose the Group Policy.ClickEdit, as shown in the image.

Step 7. As shown in this image,navigate toAdvanced > Split Tunneling. Configure the PolicyasTunnel All Networks.

Step 8. Navigate toAdvanced > Anyconnect Client > Custom Attributes. ClickAdd, as shown in the image.

Step 9.Choose theAttribute type asManagementTunnelAllAllowedand choose the Value as true. Click OK, as shown in the image.

Step 10. ClickApplyto push the configuration to the ASA, as shown in the image.

webvpn enable outside anyconnect-custom-attr ManagementTunnelAllAllowed description ManagementTunnelAllAllowed hsts enable max-age 31536000 include-sub-domains no preload no anyconnect-essentials anyconnect image disk0:/anyconnect-win-4.8.02045-webdeploy-k9.pkg 1 anyconnect profiles AnyConnect_MGMT_Profile disk0:/anyconnect_mgmt_profile.vpnm anyconnect enable tunnel-group-list enable cache disable error-recovery disable!anyconnect-custom-data ManagementTunnelAllAllowed true true!group-policy AnyConnect_MGMT_Tunnel internalgroup-policy AnyConnect_MGMT_Tunnel attributes vpn-tunnel-protocol ikev2 ssl-client  split-tunnel-policy tunnelall client-bypass-protocol enable address-pools value VPN_Pool anyconnect-custom ManagementTunnelAllAllowed value true webvpn anyconnect profiles value AnyConnect_MGMT_Profile type vpn-mgmt

Verify

Verify the Management VPN tunnel connection on ASA CLI with theshow vpn-sessiondb detail anyconnectcommand.

ASA# show vpn-sessiondb detail anyconnect Session Type: AnyConnect DetailedUsername : vpnuser Index : 10Assigned IP : 192.168.10.1  Public IP : 10.65.84.175Protocol : AnyConnect-Parent SSL-Tunnel DTLS-TunnelLicense : AnyConnect PremiumEncryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES-GCM-256Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA384Bytes Tx : 17238 Bytes Rx : 1988Pkts Tx : 12 Pkts Rx : 13Pkts Tx Drop : 0 Pkts Rx Drop : 0Group Policy : AnyConnect_MGMT_Tunnel Tunnel Group : AnyConnect_MGMT_TunnelLogin Time : 01:23:55 UTC Tue Apr 14 2020Duration : 0h:11m:36sInactivity : 0h:00m:00sVLAN Mapping : N/A VLAN : noneAudt Sess ID : c0a801010000a0005e9510abSecurity Grp : none AnyConnect-Parent Tunnels: 1SSL-Tunnel Tunnels: 1DTLS-Tunnel Tunnels: 1
--- Output Omitted ---
DTLS-Tunnel: Tunnel ID : 10.3 Assigned IP : 192.168.10.1 Public IP : 10.65.84.175 Encryption : AES-GCM-256 Hashing : SHA384 Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 Encapsulation: DTLSv1.2 UDP Src Port : 57053 UDP Dst Port : 443 Auth Mode : Certificate Idle Time Out: 30 Minutes Idle TO Left : 18 Minutes Client OS : Windows Client Type : DTLS VPN Client Client Ver : Cisco AnyConnect VPN Agent for Windows 4.8.03036 Bytes Tx : 17238 Bytes Rx : 1988 Pkts Tx : 12 Pkts Rx : 13 Pkts Tx Drop : 0 Pkts Rx Drop : 0 

Verify the Management VPN tunnel connection on ASDM.

Navigate toMonitoring > VPN > VPN Statistics > Sessions. Filter By AnyConnect Clientto see the client session.

Verification of the Management VPN tunnel connection on the Client Machine:

Troubleshoot

The new UI Statistics line (Management Connection State) can be used to troubleshoot management tunnel connectivity issues. These are the commonly seen error states:

Disconnected (disabled):

• The feature is disabled.
• Ensure that the management VPN profile was deployed to the client, via user tunnel connection (requires you to add the management VPN profile to the user tunnel-group policy) or out of band through the manual upload of the profile.
• Ensure that the management VPN profile is configured with a single host entry that includes a tunnel group.

Disconnected (trusted network):

• TND detected a trusted network so the management tunnel is not established.

Disconnected (user tunnel active):

• A user VPN tunnel is currently active.

Disconnected (process launch failed):

• A process launch failure was encountered when the management tunnel connection is attempted.

Disconnected (connect failed):

• A connection failure was encountered when the management tunnel is established.
• Ensure that the certificate authentication is configured in the tunnel group, no banner is present in the group policy, and the server certificate must be trusted.

Disconnected (invalid VPN configuration):

• An invalid split tunneling or client-bypass-protocol configuration was received from the VPN server.
• Check your configuration in the management tunnel-group policy against the documentation.

Disconnected (software update pending):

• An AnyConnect software update is currently pending.

Disconnected:

• The management tunnel is about to be established or can not be established for some other reason.

Collect DART for further troubleshooting.

Related Information

• Configuration of Management VPN Tunnel
• Troubleshooting Management VPN Tunnel