Configuring dtls, Prompting remote users – Cisco ASA 5505 User Manual
Page 1718
75-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 75 Configuring AnyConnect VPN Client Connections
Configuring AnyConnect Connections
anyconnect keep-installer installer
The default is that permanent installation of the client is enabled. The client remains on the remote
computer at the end of the session. The following example configures the existing group-policy sales to
remove the client on the remote computer at the end of the session:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-policy)# anyconnect keep-installer installed none
Configuring DTLS
Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN
connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids
latency and bandwidth problems associated with SSL connections and improves the performance of
real-time applications that are sensitive to packet delays.
By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS,
SSL VPN connections connect with an SSL VPN tunnel only.
Note
In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you
do not enable DPD, and the DTLS connection experiences a problem, the connection terminates instead
of falling back to TLS. For more information on enabling DPD, see
Enabling and Adjusting Dead Peer
You can disable DTLS for all AnyConnect client users with the enable command tls-only option in
webvpn configuration mode:
enable <interface> tls-only
For example:
hostname(config-webvpn)# enable outside tls-only
By default, DTLS is enabled for specific groups or users with the anyconnect ssl dtls command in group
policy webvpn or username webvpn configuration mode:
[no] anyconnect ssl dtls enable
If you need to disable DTLS, use the no form of the command. For example:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# no anyconnect ssl dtls enable
Prompting Remote Users
You can enable the ASA to prompt remote SSL VPN client users to download the client with the
anyconnect ask command from group policy webvpn or username webvpn configuration modes:
[no] anyconnect ask {none | enable [default {webvpn | } timeout value]}
anyconnect enable prompts the remote user to download the client or go to the clientless portal page
and waits indefinitely for user response.
anyconnect ask enable default immediately downloads the client.
anyconnect ask enable default webvpn immediately goes to the portal page.