Cisco ASA 5505 User Manual

67-78

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Supporting a Zone Labs Integrity Server

Step 1

Enter group policy webvpn configuration mode. For example:

hostname(config)# group-policy sales attributes

hostname(config-group-policy)# webvpn

Step 2

To disable the permanent installation of the AnyConnect client on the endpoint computer, use the
anyconnect keep-installer command with the none keyword. For example:

hostname(config-group-webvpn)# anyconnect keep-installer none

hostname(config-group-webvpn)#

The default is that permanent installation of the client is enabled. The client remains installed on the
endpoint at the end of the AnyConnect session.

Step 3

To enable compression of HTTP data over an AnyConnect SSL connection for the group policy, enter
the anyconnect ssl compression command. By default, compression is set to none (disabled). To enable
compression, use the deflate keyword. For example:

hostname(config-group-webvpn)# anyconnect compression deflate

hostname(config-group-webvpn)#

Step 4

To enable dead peer detection (DPD) on the ASA and to set the frequency with which either the
AnyConnect client or the ASA performs DPD, use the anyconnect dpd-interval command:

anyconnect dpd-interval {[gateway {

seconds

| none}] | [client {

seconds

| none}]}

By default, both the ASA and the AnyConnect client perform DPD every 30 seconds.

The gateway refers to the ASA. You can specify the frequency with which the ASA performs the DPD
test as a range of from 30 to 3600 seconds (1 hour). Specifying none disables the DPD testing that the
ASA performs. A value of 300 is recommended.

The client refers to the AnyConnect client. You can specify the frequency with which the client performs
the DPD test as a range of from 30 to 3600 seconds (1 hour). Specifying none disables the DPD testing
that the client performs. A value of 30 is recommended.

The following example configures the DPD frequency performed by the ASA (gateway) to 300 seconds,
and the DPD frequency performed by the client to 30 seconds:

hostname(config-group-webvpn)# anyconnect dpd-interval gateway 300

hostname(config-group-webvpn)# anyconnect dpd-interval client 30

hostname(config-group-webvpn)#

Step 5

You can ensure that an AnyConnect connection through a proxy, firewall, or NAT device remains open,
even if the device limits the time that the connection can be idle by adjusting the frequency of keepalive
messages using the anyconnect ssl keepalive comand:

anyconnect ssl keepalive {none | seconds}

Adjusting keepalives also ensures the AnyConnect client does not disconnect and reconnect when the
remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft
Internet Explorer.

The following example configures the security appliance to enable the AnyConnect client to send
keepalive messages, with a frequency of 300 seconds (5 minutes):

hostname(config-group-webvpn)# anyconnect ssl keepalive 300

hostname(config-group-webvpn)#

Step 6

To enable the AnyConnect client to perform a re-key on an SSL session, use the anyconnect ssl rekey
command: