CCNP Security VPN Technologies: IPsec, SSL, AnyConnect Deep Dive
Introduction
When organizations need to connect remote offices, enable mobile workers, or provide secure access to internal resources from anywhere in the world, CCNP Security VPN technologies on the Cisco Adaptive Security Appliance (ASA) stand as the backbone of enterprise connectivity. Whether you are building an IPsec site-to-site tunnel between two branch offices, rolling out a clientless SSL VPN portal for contractors, or deploying the AnyConnect Secure Mobility Client for your entire remote workforce, the ASA platform offers a comprehensive suite of VPN solutions that every security professional must understand.
This article provides a thorough exploration of the VPN technologies available on the Cisco ASA, covering everything from the fundamentals of IPsec and SSL/TLS negotiation to the nuances of AnyConnect deployment, licensing models, policy inheritance, and advanced access control. By the end of this deep dive, you will have a solid command of the protocols, configuration strategies, and architectural decisions that define modern Cisco VPN deployments.
What Are the Available CCNP Security VPN Technologies on the ASA?
The Cisco ASA supports a broad range of VPN deployment methods, each tailored to different use cases. Understanding the strengths and limitations of each method is the first step toward making the right architectural decision for your environment.
The available VPN deployment types on the ASA include:
- IPsec Remote Access (IKEv1) -- Uses the legacy Cisco IPsec VPN client with IKEv1 negotiation
- Easy VPN Remote and Server (IKEv1) -- Supports both software clients and the ASA 5505 as a hardware client
- Easy VPN Remote Hardware Client (ASA 5505 Only) -- Dedicated hardware-based remote VPN functionality
- Clientless SSL VPN -- Browser-based access requiring no client software installation
- AnyConnect SSL -- Full-tunnel VPN using the AnyConnect Secure Mobility Client over SSL/TLS
- AnyConnect IKEv2 -- Full-tunnel VPN using the AnyConnect client with the IKEv2 protocol
- IPsec Site-to-Site (IKEv1) -- Permanent tunnels between ASA devices or third-party endpoints
The following table summarizes the key characteristics of each method:
| Feature | IPsec Remote Access | Easy VPN | Clientless SSL | AnyConnect SSL | AnyConnect IKEv2 | IPsec Site-to-Site |
|---|---|---|---|---|---|---|
| Protocol | IPsec/IKEv1 | IPsec/IKEv1 | SSL/TLS | SSL/TLS | IKEv2 | IPsec/IKEv1 |
| Client IP Addressing | Supported | Supported | Not supported | Supported | Supported | N/A |
| HA Support | Stateful | Stateful | Stateless | Stateful | Stateful | Stateful |
| LAN Extension | Yes | Yes | No | Yes | Yes | Yes |
| Standards-Based | Yes | Proprietary | Yes | Yes | Yes | Yes |
If your requirement is a site-to-site VPN providing LAN extension between two Cisco devices, an Easy VPN client/server deployment can meet your needs. However, if the remote endpoint is a third-party device such as a checkpoint firewall, a standard IPsec site-to-site VPN connection must be used instead.
For remote-access scenarios, the AnyConnect SSL or IKEv2 VPN is generally the preferred choice because of its automatic download and installation capabilities, seamless policy updates during connection establishment, and full LAN extension support. The clientless SSL VPN remains useful when remote users primarily operate web-based applications and do not require their devices to have an assigned IP address or use complex dynamic protocols.
How Does IPsec Site-to-Site VPN Work on the Cisco ASA?
IPsec site-to-site VPN is the preferred solution for secure connectivity between sites. In this deployment model, each site has an ASA device configured with the appropriate information for tunnel creation. Unlike remote-access VPN deployments, which are designed for individual users, site-to-site VPNs do not scale well for connecting multiple remote users at the same location, making the dedicated tunnel approach more practical.
The tunnel-initiation process relies on the concept of interesting traffic. Before a connection is initiated, you must configure the ASA with the IP addresses you trust at each end of the connection. The process begins when the ASA device receives traffic from a local device that is intended for a device at a configured remote site matching the interesting traffic definition. For example, if a client at 10.1.1.53/24 wants to communicate with a host at 192.168.1.111/24, the ASA recognizes this as interesting traffic and initiates the IPsec tunnel.
IKEv1 Phase 1
The process of secure tunnel creation uses Internet Key Exchange Version 1 (IKEv1), Internet Security Association and Key Management Protocol (ISAKMP), Oakley, Encapsulating Security Payload (ESP), and Authentication Header (AH) protocols. IKEv1 Phase 1 negotiates the parameters used for creating a secure management channel between the two peers, including encryption algorithms, hashing methods, authentication mechanisms, and Diffie-Hellman groups.
IKEv1 Phase 2 (Quick Mode)
After Phase 1 establishes the ISAKMP Security Association (SA), Phase 2 (Quick Mode) negotiates the IPsec SAs that protect the actual data traffic. This phase defines the transform sets, selects the encryption and integrity protocols for the data tunnel, and establishes the interesting traffic definitions (crypto ACLs) that determine which traffic flows through the tunnel.
Configuring a Basic IPsec Site-to-Site VPN
Deploying a basic IPsec site-to-site VPN on the ASA involves a structured sequence of configuration steps. Each step builds upon the previous one to create a fully functional encrypted tunnel between two sites.
The high-level configuration workflow includes:
- Configure Basic Peer Authentication -- Define how the two ASA devices will authenticate each other, either through pre-shared keys or digital certificates
- Enable IKEv1 on the Interface -- Activate IKEv1 processing on the outside interface that faces the remote peer
- Configure IKEv1 Policies -- Define the encryption algorithm, hash method, authentication type, Diffie-Hellman group, and SA lifetime for Phase 1 negotiation
- Configure Pre-Shared Keys -- If using pre-shared key authentication, define the shared secret that both peers must match
- Configure Transmission Protection -- Set up the transform sets that define the encryption and integrity algorithms for Phase 2 (IPsec SA)
- Select Transform Set and VPN Peer -- Bind the transform set to a crypto map entry and specify the remote peer's IP address
- Define Interesting Traffic -- Create crypto ACLs that identify which traffic should be encrypted and sent through the tunnel
Each of these steps must be carefully matched on both sides of the tunnel. A mismatch in any Phase 1 policy parameter, transform set, or crypto ACL definition will prevent the tunnel from establishing or passing traffic correctly.
Common IPsec Site-to-Site Troubleshooting
When your IKEv1 policies are configured and the site-to-site VPN tunnel is established and operational, but hosts are unable to access resources on the remote network, the problem could stem from several areas:
- Interface ACLs -- Access control lists on the interfaces may be blocking VPN traffic
- NAT -- Network address translation rules may be interfering with tunneled traffic
- Crypto ACLs -- The interesting traffic definitions may not match correctly on both sides
- Routing -- Routes may not be properly configured to direct traffic toward the tunnel
All of the above are potential causes, making a systematic troubleshooting approach essential. Start by verifying Phase 1 establishment, then Phase 2 negotiation, and finally examine whether traffic is matching the crypto ACLs and flowing through the tunnel without being blocked by interface ACLs or incorrectly translated by NAT rules.
Pro Tip: When troubleshooting IPsec site-to-site VPNs, always verify that NAT exemption rules are in place for traffic that should traverse the tunnel. Without proper NAT exemption, the ASA may translate source addresses before they reach the crypto ACL match, preventing the tunnel from initiating.
How Does SSL/TLS VPN Technology Operate?
SSL/TLS protocols form the foundation of both clientless SSL VPN and AnyConnect full-tunnel VPN deployments on the ASA. These protocols have the advantage of being mature and widely adopted by clients, servers, and the Internet community. We encounter SSL/TLS daily when browsing and shopping on the web, where these protocols secure traffic between servers and browsers, providing data confidentiality and integrity.
SSL/TLS Protocol Versions
Three versions of the SSL protocol and two versions of the TLS protocol have been developed:
- SSL 1.0 -- Deprecated
- SSL 2.0 -- Not recommended for use in production environments
- SSL 3.0 -- Legacy but still referenced
- TLS 1.1 (SSL 3.1) -- Published by the IETF in 1999
- TLS 1.2 -- The latest version developed by the IETF at the time of the ASA VPN certification
SSL was originally a proprietary protocol developed by Netscape in 1994. Due to its heavy adoption in browsers, SSL saw widespread use across the Internet. The IETF later published TLS 1.1, which shares similarities with SSL 3.0 but contains significant differences that prevent direct interoperation between the two.
The TLS protocol sits between the session and transport layers of the OSI model. TLS does not include any mechanism for reliable packet delivery or reordering; instead, it relies on TCP at the transport layer for sequencing, reordering, and guaranteed delivery.
The TLS Handshake Process
Before application data can be securely transported, a TLS tunnel must be created through a handshake mechanism. The following steps describe this process:
-
ClientHello -- The client sends a message containing its supported cipher suites (for example,
TLS_RSA_WITH_DES_CBC_SHA), a session ID (Null for new sessions), supported compression schemes, the latest SSL/TLS protocol version supported, and a random number combining the client's date/time with a 28-byte pseudo-random number. -
ServerHello -- The server responds with its chosen compression scheme, its latest matching protocol version, a cipher suite matching the client's capabilities, and its own random number.
-
Certificate -- The server sends a copy of its digital certificate. The client validates it by checking the issuing CA against its trusted root certificates, verifying the validity period, confirming the hostname matches, and checking that the serial number does not appear on any certificate revocation lists (CRLs).
-
ServerHelloDone -- The server indicates it has no more information to send.
-
ClientKeyExchange -- The client sends its protocol version number and a pre_master secret, encrypted using the server's public key. Both sides use this pre_master secret along with the exchanged random numbers and a pseudo-random function to generate the master encryption key.
-
ChangeCipherSpec and Finish -- Both client and server send ChangeCipherSpec messages indicating all subsequent communication will be encrypted, followed by Finish messages.
This entire process occurs in seconds without user interaction, unless a certificate or protocol error is encountered.
DTLS for Delay-Sensitive Applications
TCP is required by SSL/TLS for message reordering, retransmission, and reliable delivery. However, for delay-sensitive protocols such as voice and video, the overhead of TCP is often undesirable. DTLS (RFC 4347) was created to address this challenge. DTLS is based on TLS but operates using UDP for faster packet delivery, while adding its own mechanisms for reliable message delivery, reordering, fragmentation, and anti-replay.
DTLS adds two fields to the TLS record layer format:
- Sequence Number -- Increments for each packet sent between client and server, with a windowing system for anti-replay protection
- Epoch -- Begins at zero during the handshake and increments with each ChangeCipherSpec packet, distinguishing packets from different conversations that may share the same sequence number
DTLS also includes an optional authentication cookie mechanism inserted into the handshake phase to prevent denial-of-service (DoS) attacks. The server replies to an initial ClientHello with a HelloVerifyRequest containing an authentication cookie that the client must echo back.
Pro Tip: When deploying AnyConnect for users who run real-time applications like VoIP or video conferencing, always enable DTLS on the ASA interfaces. Without DTLS, all traffic falls back to TLS over TCP, which introduces latency and jitter that degrade real-time communication quality.
What Is the AnyConnect Secure Mobility Client?
The AnyConnect Secure Mobility Client represents the future of remote client VPN strategy on the ASA platform. It operates by building an SSL/TLS, DTLS, or IKEv2 connection and tunneling remote user application traffic through the established session.
Key Advantages of AnyConnect
The advantages of AnyConnect over older VPN client technologies include:
- Native application support -- Full-tunnel connectivity supports applications that would otherwise require plug-ins, smart tunnels, or port forwarding with a clientless SSL VPN (such as Remote Desktop Protocol and Telnet)
- Automatic deployment -- Administrators can configure automatic installation, updating, and removal of the client software during and after connection attempts
- On-the-fly policy updates -- New client profiles, modules, and configuration changes are downloaded automatically during connection establishment
- Multiple protocol support -- The same client supports SSL/TLS, DTLS, and IKEv2 connections
- Trusted Network Detection -- The client can detect when the user is inside the corporate network and adjust behavior accordingly
AnyConnect Connection Methods
The AnyConnect client supports the following connection methods:
| Method | Protocol | Transport |
|---|---|---|
| AnyConnect SSL | SSL/TLS | TCP |
| AnyConnect SSL with DTLS | DTLS | UDP |
| AnyConnect IKEv2 | IKEv2 | UDP |
For IKEv2 connections, a typical exchange involves two message pairs by default. The IKEv2 protocol uses two exchange phases during connection establishment: the IKE_SA_INIT exchange and the IKE_AUTH exchange. The first CHILD_SA is created during the IKE_AUTH exchange.
IKEv2 IPsec remote-access VPN sessions are available for use only with the AnyConnect client and are licensed using the same AnyConnect Essentials or AnyConnect Premium licenses used with SSL VPNs.
AnyConnect Troubleshooting Tools
When troubleshooting AnyConnect client issues, two primary tools are available:
- Message History tab -- Provides a step-by-step explanation of the connection process, useful for identifying exactly where a failure occurs during VPN establishment
- DART (Diagnostic and Reporting Tool) -- Collects all client, system, and module information into a bundle that can be shared with support engineers for in-depth analysis
How Do CCNP Security VPN Policies and Inheritance Work?
An essential part of deploying any SSL or IPsec VPN connection on the ASA is the use of policies to control access to resources through the VPN tunnel. The ASA provides a wide range of options for granular policy assignment based on user attributes, group membership, department, site location, or role in the company.
The Policy Hierarchy
All remote users must pass through two phases before they can successfully connect and access resources:
-
Prelogin Phase -- Achieved through connection profiles (also known as tunnel groups). Connection profiles carry out the assignment of connection attributes and parameters such as AAA and IP address assignment, and define available connection methods (IKEv1, IKEv2, SSL).
-
Post-login Phase -- Achieved through group policy objects, Dynamic Access Policies (DAPs), and user-specific attributes. These include items such as IPv4 or IPv6 access lists, DNS servers, access hours, split tunneling, and more.
When multiple policies are assigned to a single user, the ASA merges them using a hierarchical model. From highest to lowest precedence:
- Dynamic Access Policies (DAPs) -- Take precedence over all other configured policy types
- User Attributes -- Direct assignment to a user account
- Group Policy -- Assigned to a connection profile or user
- Default Group Policy -- The built-in DfltGrpPolicy that provides fallback values
If two policy types contain different values for the same attribute, the user receives the value from the higher-priority policy. For example, if IP Pool A is assigned in the group policy attached to the connection profile and IP Pool B is assigned directly to the user account, the user receives an address from IP Pool B because user attributes rank higher in the hierarchy.
Connection Profiles
Connection profiles provide prelogin policies for establishing VPN connections. They also separate connecting users into relevant groups that may require different methods of access. Several methods exist for assigning users to the appropriate connection profile:
- Group URL -- Remote users enter a direct URL configured for the desired profile, such as
https://lab.nhprep.com/corporate - Group Alias -- Clientless SSL VPN users select a profile from a drop-down list at the portal login page; AnyConnect users select a profile in the client software
- Certificate to Connection Profile Mapping -- Distinguished name (DN) values in a user's digital certificate are matched to a specific connection profile
- Per-User Connection Profile Lock -- A connection profile is assigned directly to an individual user account
Three default connection profiles exist on every ASA and cannot be removed (though they can be modified):
- DefaultRAGroup -- Used for client-based (AnyConnect) SSL VPNs and IPsec remote-access VPNs
- DefaultWEBVPNGroup -- Used for clientless SSL VPNs
- DefaultL2LGroup -- Used for IPsec LAN-to-LAN connections
Pro Tip: Always create custom connection profiles for your specific VPN deployments rather than relying on the default profiles. The defaults are designed as catchall mechanisms and global property containers, not as production-ready configurations.
Group Policies
Group policies are containers for post-login attributes and parameters assigned to VPN users, including ACLs, DHCP servers, address pools, DNS settings, and more. They simplify configuration by allowing assignment to multiple users or connection profiles simultaneously.
Group policies come in two types:
- Internal (Local) -- Attributes and parameters are stored locally on the ASA
- External (Remote) -- The policy container exists on the ASA, but attributes are stored on external AAA servers (RADIUS or LDAP) and retrieved during login
Only RADIUS and LDAP are available for external group policy assignment. TACACS+ was available in earlier ASA releases but has been removed for this purpose due to its limited policy assignment capabilities compared to RADIUS and LDAP.
Group policy objects are globally available across all connection types. A group policy created for AnyConnect connections can also be selected and used in site-to-site or clientless SSL VPN configurations, enabling reuse across your entire VPN deployment.
Understanding ASA VPN Licensing for CCNP Security VPN
Licensing on the ASA is a critical topic that directly impacts which VPN features you can deploy and how many concurrent sessions your device supports. Each ASA model has different base license capabilities and optional license upgrades.
VPN Licensing by Platform
The following table shows the IPsec and SSL VPN session limits for common ASA models:
| ASA Model | IPsec VPN Sessions | Combined IPsec + SSL VPN Max | VPN Load Balancing |
|---|---|---|---|
| ASA 5505 (Base) | 10 | 25 | Not supported |
| ASA 5510 (Base) | 250 | 250 | Not supported (Base) |
| ASA 5510 (Security Plus) | 250 | 250 | Supported |
| ASA 5520 | 750 | 750 | Supported |
| ASA 5540 | 5,000 | 5,000 | Supported |
| ASA 5550 | 5,000 | 5,000 | Supported |
| ASA 5580 | 5,000 | 5,000 | Supported |
AnyConnect Licensing
By default, every ASA includes two AnyConnect Premium licenses. A critical rule to remember is that you cannot mix an AnyConnect Premium and AnyConnect Essentials license on the same device -- you must choose one or the other.
The differences between the two license types are significant:
| Feature | AnyConnect Essentials | AnyConnect Premium SSL VPN Edition |
|---|---|---|
| Client-based SSL VPN | Yes | Yes |
| Browser-based (clientless) SSL VPN | No | Yes |
| IPsec VPN | Yes | Yes |
| VPN Load Balancing | Yes | Yes |
| AnyConnect Mobile | Yes | Yes |
| Advanced Endpoint Assessment | No | Yes |
| AnyConnect Premium SSL VPN Edition Shared | No | Yes |
| Cisco Secure Desktop | No | Yes |
An important licensing note: IKEv1 IPsec sessions are not licensed, and the maximum number of sessions available equals the maximum number available for the ASA platform. IKEv2 IPsec remote-access VPN sessions, however, are available only with the AnyConnect client and are licensed using the same AnyConnect Essentials or Premium licenses used with SSL VPNs.
Time-Based Licenses
Time-based licenses allow your device to handle temporary surges for a particular feature. For example, during a weekend failover to a secondary device that lacks sufficient permanent SSL VPN licenses, a time-based license can cover the shortfall for a defined period (such as 90 days).
Key behaviors of time-based licenses:
- The timer starts counting down as soon as the license is activated and continues even if the device is powered off
- Only one time-based license can be active at any given time
- Multiple time-based licenses can be installed, but they activate in order
When combining time-based and permanent licenses:
- SSL VPN Sessions -- The license with the higher value is used (not combined)
- Security Contexts -- Time-based and permanent licenses are combined up to the platform limit
- Botnet Traffic Filter -- No permanent license exists; only time-based licenses are available
Failover Licensing
Beginning with ASA Version 8.3(1), failover pairs no longer require matching licenses. The primary device typically has the license installed, and the secondary device inherits it. If both devices have licenses, they merge up to the platform-specific maximum. Note that both ASA 5505 and ASA 5510 devices require the Security Plus license before they can operate in failover mode.
Controlling CCNP Security VPN Access on the ASA
Beyond basic tunnel establishment, multiple methods are available for controlling what remote users can access through their VPN connections:
- Web ACLs -- Used with clientless SSL VPN to allow or deny access to specific URLs or TCP services
- Split Tunneling -- Prevents user web traffic from traveling through the VPN tunnel, directing only corporate-destined traffic through the encrypted path
- Filtering with Access Lists -- Standard and extended ACLs applied to control traffic entering and leaving the organization
- Remote AAA Authorization -- Centralized policy enforcement through external authentication servers
- Selective Portal/VPN Access -- Using group URLs and aliases to direct users to appropriate connection profiles
- Access Hours -- Time range objects that restrict VPN availability to specific windows (for example, business hours only)
- Simultaneous Logins -- Limits on how many concurrent sessions a single user can establish
- Connection and Idle Timeouts -- Automatic session termination after periods of inactivity
By default, all VPN traffic bypasses any ACL configurations applied to the incoming interface. If you want VPN traffic to also be subject to configured interface ACLs, you must disable this default behavior in the ASA configuration by navigating to Configuration > Remote Access VPN > Network (Client) Access > Advanced > SSL VPN > Bypass Interface Access List and unchecking the bypass option.
Pro Tip: Time range ACLs can play an important role in VPN security. By restricting VPN access to business hours only, you can accurately know when remote users will be connecting and schedule configuration changes or maintenance during off-hours when connections are unavailable, preventing service disruption.
AAA Integration with CCNP Security VPN Deployments
Authentication, authorization, and accounting (AAA) services enable centralized management of user and device access policies by storing them on remote AAA servers. The ASA supports the following AAA server types:
- RADIUS
- TACACS+
- LDAP
- SDI (RSA SecurID)
- NT Domain
- Kerberos
- HTTP Form
To prepare the ASA for use with an external AAA server, two steps are required:
- Create an AAA server group -- Define the server group name, protocol, accounting mode (Simultaneous or Single for RADIUS/TACACS+), reactivation mode (Depletion or Timed), and maximum failed attempts (default 3)
- Add servers to the AAA server group -- Specify the interface, server IP address, and authentication secret key
For RADIUS server groups, additional options include enabling interim accounting updates for multisession accounting with AnyConnect and clientless SSL VPNs, and configuring VPN3K compatibility settings for downloadable ACL handling.
The AAA framework supports different authentication methods depending on the VPN type:
| VPN Type | Authentication Methods |
|---|---|
| IPsec Remote Access | X-Auth by user AAA or local ASA, certificates, hybrid SDI |
| Easy VPN | X-Auth by user AAA or local ASA, SUA and IUA for hardware clients |
| Clientless SSL VPN | User AAA or local ASA, certificates, SDI |
| AnyConnect SSL | User AAA or local ASA, certificates, SDI |
| AnyConnect IKEv2 | User AAA or local ASA, certificates, EAP methods, Cisco Proprietary EAP |
When configuring peer authentication for IPsec site-to-site VPNs using digital certificates, you can choose to send the root CA and intermediate CA certificates to the peer using a certificate chain.
The ASA Packet Processing Flow and Its Impact on VPN Traffic
Understanding how the ASA processes packets is essential for troubleshooting VPN connectivity issues. The ASA follows a specific order of operations for both inbound and outbound traffic, and the direction of travel determines the sequence.
For a packet received on the inside interface destined for a host on the outside interface, the ASA processes in this order:
- Flow Lookup -- Does this packet belong to an existing flow entry?
- Route Lookup -- Perform a longest prefix match against the routing table
- Access List -- Check the packet against any ACLs configured on the incoming path
- IP Options (MPF) -- Check against Modular Policy Framework policies (QoS, embryonic limits)
- VPN Crypto Match -- Is this packet destined for a host through a VPN tunnel?
- NAT -- Perform address translation based on configured NAT rules
- NAT Host Limit -- Check for connection limits that might cause the packet to be discarded
- IP Options (MPF) -- Second MPF check
- Flow Creation -- If this is a new flow, create a flow entry
- Send Packet Out -- Forward through the outside interface
For a packet received on the outside interface destined for an inside host, the order changes slightly, notably including a Reverse Path Forwarding (RPF) check during the NAT phase to verify that the best path toward the source IP address is through the interface on which the packet arrived.
The Packet Tracer utility, available from the Tools menu in ASDM, provides a visual step-by-step assessment of how a specific packet would be treated by your ASA. You specify the source and destination IP addresses, ports, protocol, and incoming interface, and the tool checks the packet against all configured ACLs, MPF rules, NAT rules, and VPN crypto maps, reporting the result at each stage. This tool is invaluable when troubleshooting VPN traffic that is being unexpectedly dropped or translated.
High Availability and Performance for CCNP Security VPN
Ensuring VPN availability is critical for production deployments. The ASA supports several high-availability and redundancy methods:
Hardware-Based Failover
Hardware failover provides stateful redundancy for VPN connections. Configuration involves:
- Configuring LAN failover interfaces between the primary and secondary ASA
- Configuring standby addresses on interfaces used for traffic forwarding
- Defining failover criteria that determine when the secondary device takes over
- Configuring nondefault MAC addresses to ensure consistent ARP behavior
Both Active/Standby and Active/Active failover modes are available on ASA models with the appropriate license (ASA 5520 and above by default; ASA 5510 requires Security Plus).
VPN Load Balancing (Clustering)
VPN clustering allows multiple ASA devices to share the VPN session load, distributing incoming connections across the cluster members. This is supported on ASA 5510 (Security Plus) and higher models.
Redundant VPN Peering
For AnyConnect deployments, redundant peering allows the client to automatically fail over to a backup ASA if the primary device becomes unavailable. For site-to-site VPN deployments, redundancy can be achieved through routing protocols that provide multiple paths and automatic convergence.
QoS for VPN Performance
The ASA's Modular Policy Framework (MPF) enables QoS configuration for VPN traffic using:
- Class maps -- Select packets based on protocol, ACL, and other criteria
- Policy maps -- Apply actions (prioritization, policing, shaping) to matched packets
- Service policies -- Apply policy maps to specific interfaces or globally
Frequently Asked Questions
What is the difference between AnyConnect Essentials and AnyConnect Premium?
AnyConnect Essentials provides client-based SSL VPN, IPsec VPN, and VPN load balancing support at a lower cost. AnyConnect Premium adds browser-based (clientless) SSL VPN, Advanced Endpoint Assessment, Cisco Secure Desktop integration, and shared license support. You cannot install both license types on the same ASA device -- you must choose one or the other.
Why can hosts not access remote resources after an IPsec site-to-site VPN tunnel is established?
When the tunnel is operational but hosts cannot reach remote resources, the problem typically lies in one of several areas: interface ACLs blocking the traffic, NAT rules translating addresses that should be exempt, crypto ACLs not matching the correct traffic flows, or routing not directing packets toward the tunnel endpoint. A systematic check of all these components is required.
How does the ASA determine which policy attributes to apply when a user has multiple policies assigned?
The ASA uses a hierarchical policy model where DAPs take highest precedence, followed by user attributes, then the group policy attached to the connection profile, and finally the default group policy (DfltGrpPolicy). If two policy types define different values for the same attribute, the value from the higher-ranking policy is applied. Attributes not defined in higher-level policies inherit their values from policies lower in the hierarchy.
Are IKEv1 IPsec sessions licensed on the ASA?
No. IKEv1 IPsec sessions are not licensed on the ASA. The maximum number of IKEv1 IPsec sessions available equals the maximum number supported by the ASA platform. However, IKEv2 IPsec remote-access VPN sessions are only available with the AnyConnect client and require AnyConnect Essentials or Premium licenses, the same licenses used for SSL VPNs.
What are the default connection profiles on the ASA?
Three default connection profiles exist on every ASA device and cannot be removed, though they can be modified: DefaultRAGroup (for client-based AnyConnect SSL VPNs and IPsec remote-access VPNs), DefaultWEBVPNGroup (for clientless SSL VPNs), and DefaultL2LGroup (for IPsec LAN-to-LAN connections). It is recommended to create custom connection profiles for production deployments rather than relying on these defaults.
When should I use DTLS instead of standard TLS for VPN connections?
DTLS should be enabled whenever your remote users run delay-sensitive applications such as voice over IP or video conferencing. Standard TLS operates over TCP, which introduces latency due to retransmission and ordered delivery mechanisms. DTLS operates over UDP, providing faster delivery while adding its own anti-replay, sequencing, and fragmentation capabilities. The AnyConnect client supports DTLS natively when configured on the ASA.
Conclusion
Mastering CCNP Security VPN technologies requires a thorough understanding of multiple protocols, deployment models, and configuration strategies on the Cisco ASA platform. From the IKEv1 negotiation process that builds IPsec site-to-site tunnels to the TLS handshake that secures AnyConnect full-tunnel sessions, each technology has its place in a comprehensive enterprise security architecture.
The key takeaways from this deep dive include:
- Choose the right VPN method based on your requirements for client IP addressing, LAN extension, standards compliance, and high-availability support
- Understand the policy hierarchy where DAPs override user attributes, which override group policies, which override default policies
- Plan your licensing carefully because AnyConnect Essentials and Premium cannot coexist on the same device, and IKEv2 sessions require AnyConnect licensing
- Enable DTLS for deployments serving users with real-time communication needs
- Build robust high-availability through hardware failover, VPN clustering, or redundant peering depending on your scale requirements
Whether you are preparing for the CCNP Security certification or deploying VPN solutions in production, these foundational concepts will serve you well. Explore NHPREP's courses at nhprep.com to continue building your expertise with hands-on labs and guided instruction across the full spectrum of Cisco security technologies.