Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Apple iOS Known Issues, Limitations, Common Problems, and Solutions with Cisco AnyConnect Secure Mobility Client

Objective

The Cisco AnyConnect Secure Mobility Client, also known as the Cisco AnyConnect VPN Client, is a software application for connecting to a Virtual Private Network (VPN) that works on various operating systems and hardware configurations. This software application makes it possible for remote resources of another network become accessible as if the user is directly connected to the network, but in a secure way. Cisco AnyConnect Secure Mobility Client provides an innovative way to protect mobile users on computer-based or smart-phone platforms, providing a more seamless, always-protected experience for end users, and comprehensive policy enforcement for an IT administrator.

When installing the Cisco AnyConnect Secure Mobility Client on Apple iOS devices, common errors may occur and basic troubleshooting may be needed for a successful setup. To know more about basic troubleshooting on common installation errors, click here

The objective of this document is to show you the known issues, limitations, common problems, and solutions on Apple iOS devices with Cisco AnyConnect Secure Mobility Client.

Software Version

  • 4.4

Apple iOS Known Issues, Limitations, Common Problems, and Solutions

Note: The following iOS issues have already been reported to Apple and may be resolved in a future iOS release.

Apple iOS Known Issues

  • Network Roaming applies to releases earlier than iOS 8 only. Release iOS 8 and later always operate as if Network Roaming is ON, attempting to re-establish a connection until it succeeds.

Note: For a full description of Network Roaming, click here.

  • Apple ID: 22784308 issue — On demand option never connects.
  • A Datagram Transport Layer Security (DTLS)packet received while the device is asleep does not awaken it. Transport Layer Security (TLS)packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.
  • Voice applications running in the background on an iPod Touch cannot receive packets over VPN. This functionality works as expected on iPhone devices.
  • If a VPN configuration contains a large number of routes or split-DNS rules, the Apple device cannot establish a VPN connection. This bug occurs, for example, if, upon connection, an Adaptive Security Appliance (ASA) configuration pushes a VPN split-include list that has 70 or more rules that direct traffic to individual subnets. To prevent this bug, apply a tunnel-all configuration or reduce the number of rules.
  • AnyConnect may become slow or crash when there is a large number of VPN connections configured on the mobile device.

Apple iOS Permits All Local LAN Traffic with Tunnel-all

Apple iOS permits traffic that is essential for the core operation of the device, regardless of whether a tunnel-all policy is in force. Examples of traffic that Apple iOS sends in the clear regardless of the tunnel policy include:

  • All Local Area Network (LAN) traffic
  • Scoped routes for preexisting connections (for example, a video being streamed before VPN comes up)
  • Core Apple services (for example, Visual Voice mail traffic)

Guidelines and Limitations for AnyConnect on Apple iOS

  • This release of AnyConnect for Apple iOS supports only the features that are strictly related to remote VPN access.
  • AnyConnect supports the following types of VPN configurations:
- Manually generated

- AnyConnect VPN client profile imported

- iPhone Configuration Utility generated. For details about the iPhone Configuration Utility, check Apple Support.

  • The Apple iOS device supports only one AnyConnect VPN client profile. The contents of the generated configuration always match the most recent profile. For example, you connect to vpn.example1.com and then to vpn.example2.com. The AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.
  • This release supports the tunnel keepalive feature; however, it reduces battery life of the device. Increasing the update interval value mitigates this issue.
  • Apple iOS Connect On-Demand Considerations:

- VPN sessions that are automatically connected as a result of iOS On-Demand logic will be disconnected when the device sleeps. After the device wakes up, On-Demand logic will reconnect the VPN session when it is necessary again.

- AnyConnect collects device information when the UI is launched and a VPN connection is initiated. Therefore, there are circumstances in which AnyConnect can misreport mobile posture information if the user relies on iOS’s Connect On-Demand feature to make a connection initially, or after device information, such has the OS version, has changed.

- If you are running AnyConnect 4.0.05032 or later, in conjunction with Apple iOS 9.3 or later, the following limitation does not apply to your device: To ensure proper establishment of Connect On-Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message saying, “The VPN Connection requires an application to start up” will display.

Common Apple iOS Problems

1. I cannot edit or delete some connection profiles.

Solution: Your system administrator set a policy that affects host entries imported into your AnyConnect connection profile. To delete these profiles, tap Diagnostics > ProfileClear Profile Data.

2. Errors while trying to save or edit configuration.

Solution: A known issue with the operating system is the cause. Apple is working to resolve it. As a workaround, try restarting the application.

3. Connection time-outs and unresolved hosts.

Solution: Internet connectivity issues, a low cell signal level, and network congestion often cause time-outs and unresolved host errors. If a LAN is within reach, try using your device Settings application to establish a connection with the LAN first. Retrying multiple times in response to time-outs often results in success.

4. VPN connection is not re-established when the device wakes from sleep.

Solution: Enable Network Roaming in the VPN connection entry. If enabling network roaming does not resolve the issue, check your EDGE (2G), 1xRTT (2G), 3G, or Wi-Fi connection.

Note: This issue may be expected behavior depending on how your organization has configured the VPN.

5. Certificate-based authentication does not work.

Solution: Check the validity and expiration of the certificate if you succeeded with it before. Check with your system administrator to make sure you are using the appropriate certificate for the connection.

6. The Apple iOS Connect On Demand feature is not working or connecting unexpectedly.

Solution: Ensure the connection does not have a conflicting rule in the Never Connect list. If a Connect If Needed rule exists for the connection, try replacing it with an Always Connect rule.

7. AnyConnect failed to establish a connection but no error message was displayed.

Solution: Messages display only when the AnyConnect application is open.

8. A profile called Cisco AnyConnect exists that cannot be deleted.

Solution: Try restarting the application.

9. When I remove the AnyConnect application, VPN configurations still appear in the Apple iOS VPN settings.

Solution: To delete these profiles, reinstall AnyConnect and then tap Diagnostics > Profile > Clear Profile Data.

 

Version history
Revision #:
1 of 1
Last update:
‎03-14-2017 06:25 PM