EasyManuals Logo
Home>Cisco>Firewall>5510 - ASA SSL / IPsec VPN Edition

Cisco 5510 - ASA SSL / IPsec VPN Edition User Manual

Cisco 5510 - ASA SSL / IPsec VPN Edition
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #1941 background imageLoading...
Page #1941 background image
1-13
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring AnyConnect VPN Client Connections
Configuring AnyConnect Connections
Configuring DTLS
Datagram Transport Layer Security (DTLS) allows the AnyConnect client establishing an SSL VPN
connection to use two simultaneous tunnels—an SSL tunnel and a DTLS tunnel. Using DTLS avoids
latency and bandwidth problems associated with SSL connections and improves the performance of
real-time applications that are sensitive to packet delays.
By default, DTLS is enabled when SSL VPN access is enabled on an interface. If you disable DTLS,
SSL VPN connections connect with an SSL VPN tunnel only.
Note In order for DTLS to fall back to a TLS connection, Dead Peer Detection (DPD) must be enabled. If you
do not enable DPD, and the DTLS connection experiences a problem, the connection terminates instead
of falling back to TLS. For more information on enabling DPD, see Enabling and Adjusting Dead Peer
Detection, page 1-21
You can disable DTLS for all AnyConnect client users with the enable command tls-only option in
webvpn configuration mode:
enable <interface> tls-only
For example:
hostname(config-webvpn)# enable outside tls-only
By default, DTLS is enabled for specific groups or users with the anyconnect ssl dtls command in group
policy webvpn or username webvpn configuration mode:
[no] anyconnect ssl dtls {enable interface | none}
If you need to disable DTLS, use the no form of the command. For example:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# no anyconnect ssl dtls none
Prompting Remote Users
You can enable the ASA to prompt remote SSL VPN client users to download the client with the
anyconnect ask command from group policy webvpn or username webvpn configuration modes:
[no] anyconnect ask {none | enable [default {webvpn | } timeout value]}
anyconnect enable prompts the remote user to download the client or go to the clientless portal page
and waits indefinitely for user response.
anyconnect ask enable default immediately downloads the client.
anyconnect ask enable default webvpn immediately goes to the portal page.
anyconnect ask enable default timeout value prompts the remote user to download the client or go to
the clientless portal page and waits the duration of value before taking the default action—downloading
the client.
anyconnect ask enable default clientless timeout value prompts the remote user to download the client
or go to the clientless portal page, and waits the duration of value before taking the default
action—displaying the clientless portal page.
Figure 1-1 shows the prompt displayed to remote users when either default anyconnect timeout value
or default webvpn timeout value is configured:

Table of Contents

Other manuals for Cisco 5510 - ASA SSL / IPsec VPN Edition

Preview: Configuration Guide
Configuration Guide1822 pages
Preview: Hardware Installation Guide
Hardware Installation Guide82 pages
Preview: Getting Started Guide
Getting Started Guide208 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco 5510 - ASA SSL / IPsec VPN Edition and is the answer not in the manual?

Cisco 5510 - ASA SSL / IPsec VPN Edition Specifications

General IconGeneral
BrandCisco
Model5510 - ASA SSL / IPsec VPN Edition
CategoryFirewall
LanguageEnglish

Related product manuals