Win8 64bit client can't install Cisco AnyConnect finish

一、安裝過程，錯誤訊息如下

\System\CurrentControlSet\Services\Eventlog\CiscoAnyConnect Secure Mobility Client\acvpndownloader

二、找到答案，再來更新

Cisco Anyconnect 連線錯誤訊息處理

訊息如下：

 The VPN client was unable to modify the IP forwarding table. A VPN connection will not be established. Please restart your computer or device, then try again.

解決方法：

注意：使用 Anyconnect VPN，網路共享服務，不能開啟 !!!

執行，輸入services.msc 後，找到 Internet Connection Sharing (ICS) 選項，停用即可

ASA 處理進出同介面的路由 intra-interface

預設：Intra-Interface Communications disabled，不允許進出同介面的路由

  

Intra-Interface Communications Enable 指令：

same-security-traffic permit intra-interface

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

增加以下兩行，route inside 封包，不做 NAT.

1. ACL
access-list route-inside extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

2. NAT 0 (不做 NAT)
nat (inside) 0 access-list route-inside

Cisco ASA failover HA config

說明：Cisco ASA failover active standby unit 固定 ip

   例：ip address 172.16.1.253 255.255.255.0 standby 172.16.1.252

   不管 active / standby unit 切換，

   只要 active unit 總是使用 ip 172.16.1.253，standby unit 總是 ip 172.16.1.252 

一、 failover 設定

failover 設定 : primary

failover

failover lan unit primary

failover lan interface failover Management0/0

failover replication http

failover link failover Management0/0

failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2

failover 設定 : secondary

failover

failover lan unit secondary

failover lan interface failover Management0/0

failover replication http

failover link failover Management0/0

failover interface ip failover 1.1.1.1 255.255.255.0 standby 1.1.1.2

二、網路接線

所有 ASA interface 接至一台 switch (切vlan) (含 failover interface)

三、查看 failover 狀態

ASA5520# show failover state

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Standby Ready  None

Other host -   Secondary

               Active                None

====Configuration State===

        Sync Done - STANDBY

====Communication State===

        Mac set

ASA5520# failover ?

  active                Make this system to be the active unit of the failover pair

  exec                  Execute command on the designated unit

  reload-standby  Force standby unit to reboot

  reset                  Force an unit or failover group to an unfailed state

四、切換 Active / Standby

ASA5520# failover active  (登入standby那台，將 standby 切換為 active)

五、NAT-T

狀況：當 ipsec vpn 登入內網後，但無法存取任何設備，是 NAT-T 問題，

      Cisco ASA 需下以下指令

      crypto isakmp nat-traversal

Cisco VPN Apple Andorid Supported

Apple Devices Supported

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/rn-ac2.4-apl4.2.html

Device  Apple iOS Release Required 
iPad               4.2.1 or later
iPhone 3G      4.1 or later
iPhone 3GS    4.1 or later
iPhone 4         4.1 or later
iPod Touch (2nd Generation or later)  4.1 or later

Download: iPhone Configuration Utility (IPCU) 3.3

Download iTunes 10

Windows 操作：
a. 連接 IPAD /Iphone 設備
b. 安裝 iPhone Configuration Utility
c. 新增 profile，config 憑證 及 AnyConnect.
d. "Install" 到 IPAD (傳送)

IPAD 操作：
a. 收到 config profile，按"安裝" (內含憑證)
b. Anyconnect 連線.

參考文件

Andorid Devices Supported

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

We now support VPN connections between Android mobile devices and ASA 5500 series devices, when using the L2TP/IPsec protocol and the native Android VPN client.

Requirements:
•Mobile devices must be using the Android 2.1, or later, operating system.
•The ASA must be running the ASA Release 8.4(1) or later.