Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Troubleshooting Any-connect installations



This document describes the scenarios of Any-connect installation.
  • Any-connect client
  • ASA 5540

Scenario 1


User wish to know is it possible to use group name/password from legacy vpn client in cisco any-connect client ? User checked "VPN XML Reference" from Any-connect  Administrator Guide and found nothing about it.


Any-connect Secure Mobility Client (VPN Module) can be used to connect to two types of remote access VPN:
  • Full tunnel SSL VPN
  • IKEv2 IPsec VPN.
The legacy VPN client is used only with the older IKEv1 IPsec VPN and you cannot use Any-connect as the client on that type of VPN.
What is IKE?
 IKE is used for enabling negotiation of ESP and/or AH SAs.
Endpoint-to-Endpoint Transport:
In this scenario, at both the endpoints IPsec is implemented.  There will be no inner IP header in transport. If we have an inner IP header, the outer addresses will be same as the inner addresses. A single pair of addresses is negotiated to be protected by the SA.  These endpoints MAY implement application layer access controls based on the IPsec authenticated identities of the participants.  This implementation enables end-to-end security which has been a thumb rule for the Internet.

Scenario 2

User is using the Cisco Any-connect VPN client with the ASA 5540 firewall. He need to enable a timeout on VPN clients so they disconnect after x hours of inactivity.

To my understanding the default idle timeout value is 30min

You should be able to change this setting either under the "username" configurations (if using LOCAL AAA on the ASA) or under the "group-policy" configurations.

The command is:  vpn-idle-timeout

 Command Reference link

Source Discussion

Version history
Revision #:
2 of 2
Last update:
‎08-29-2017 03:38 AM
Updated by:
Labels (1)