SSL VPN with the Cisco AnyConnect client

With the AnyConnect SSL VPN client, users of Windows and Mac OS X, Linux as well as Windows Mobile, can establish a VPN connection. In order to use the VPN-connection you have to install the application Cisco AnyConnect Secure Mobility Client on your computer once. In this article we describe the procedure for the installation. We reccomend this client for Windows 10, Windows 8.1/8, Windows 7, Vista, Mac OS X Mavericks up to Sierra

1. How do I install the application on my computer?

You may install the Application Cisco AnyConnect Secure Mobility Client directly on every computer with internet access.

  • Navigate to https://asa-cluster.lrz.de with your favourite browser.
  • Enter your login-name and your password.
  • The application will install automatically, the VPN-connection will be started.
  • This procedure has only to de done once. Open the application Cisco AnyConnect Secure Mobility Client on your computer to start or finish new connecions.

2. How do I install the application on my smartphone?

3. I cannot login!

  • Your login has to be enabled for eduroam. This is true for employees and students, but not for alumni.
  • Eduroam logins like ba12ced@eduroam.mwn.de do not work, use ba12ced instead.
  • Eduroam login from external institutions do not work fpr VPN.

4. The installation is not working. What can I do?

There are several reasons for a failed installation, you can fix most of them on your own.

4.1 Java cannot be found or activated.

While "Attempting to use Java" an error-message "Web-based Installation was unsuccessful.." shows up during the installation:

  • Klick on the Link below Install using the link below. An installation-program wil be downloaded on your computer.
  • Manually start the installation-program.
  • To start VPN, you have to start the application Cisco AnyConnect Secure Mobility Client on your computer.
  • If the Connect-to-field ist empty, enter asa-cluster.lrz.de and click on connect.

4.2. My Operating-System is not supported!

Current operating-systems are supported. Older systems, which are no longer updated, are not supported

  • Windows 10: Before upgrading from Win7/8/8.1 to Win10 install the latest client or deinstall the client, upgrade Windows and reinstall th client
  • Windows 8.1, 8, 7, Vista, XP also in 64bit, Windows Mobile (supported devices in the release notes below). The Windows integrated VPN-client does not work with our VPN-server.
  • OS X 10.12 (Sierra), Mac OS X 10.11 (El Capitan) Mac OS X 10.10 (Yosemite) and Mac OS X 10.9 (Mavericks) work with the latest AnyConnect Client.
  • Mac OS X Mountain Lion, Lion, Snow Leopard, Leopard and Tiger, Snow Leopard and older do no longer work with the latest AnyConnect client, but they do have an integrated Cisco VPN client! (Info) Either you upgrade your outdated operating system or you can reinstall version 4.3 via the download portal und select the group  "AnyConnect+NoUpdate" at login.
  • Linux, with 64Bit versions, libraries have to be installed later (see release notes below)
  • Android on Android Store :https://play.google.com/store/search?q=anyconnect&c=apps

4.3. Windows Installation fails

Disable internet-connection-sharing (ICS)

4.4. The connection is not secure

This error-message shows up, if a certificate is missing. This happens rarely on actual operating systems.

Please check that you have installed the certificates required for the SSL connection. When you call up the page https://asa-cluster.lrz.de you must not get an error message in the browser. If an error message does appear, you can install the necessary certificates T-Telesec GlobalRoot Class 2, DFN-Verein Global Issuing CA and DFN-Verein Global Issuing as described under http://www.lrz.de/services/pki/certs/index.html. As the certificates are located on an external web server, they are stored here as copies:

 

Name (CN of the CA certificate)

Company
(O and OU of the CA certificate)

Valid until

crt

T-TeleSec GlobalRoot Class 2

T-Systems Enterprise Services GmbH
T-Systems Trust Center

Oct 2033

crt DFN-Verein Certification Authority 2 Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.
DFN-PKI
Feb 2031
crt DFN-Verein Global Issuing CA Verein zur Foerderung eines Deutschen Forschungsnetzes e. V.
DFN-PKI
Feb 2031

How to install the certificates:

Windows 7, Vista and XP:

Download the certificates. After acknowledging the safety warning, double-click on the certificates to open. Click on the “Certification path” tab to see the certification status, which tells you whether the certificate is recognized as valid. If it is not, you can import it in the “General” tab. To do so, click on “Install certificate” and follow the instructions of the Certificate Import Wizard.

Linux:

The certificates must be stored in the Firefox certificate store. The easiest way to do this is to use Firefox to click on the relevant links on this page (local copies) or on the page  http://www.lrz.de/services/pki/certs/index.html and confirm the import.

Mac OS X:

The certificates have to be downloaded and imported by double-clicking on the keychain.

5. Manual Installation:

  • Check and, if necessary, install the necessary certificates
  • Use the browser to go to page https://asa-cluster.lrz.de
  • Enter username and password
  • The operating system is then recognized automatically and the client download starts. Administrator rights are required for initial installation
  • After installation, the connection is established immediately. In the tray (Windows) or menu bar (Mac OS X, Linux), the client can be brought to the front.
  • If automatic installation does not work, the client can be downloaded via the link in the browser and installed manually. In the “Connect to:” field, you have to enter asa-cluster.lrz.de. With Windows, you have to deactivate Internet Connection Sharing (ICS).
  • The client can then be started via the program menu. Local LAN access can be activated via the Preferences menu.

6. Beta and newest versions:

Experienced users can download the newest and Beta versions of the AnyConnect client via our Download Portal in the AnyConnect client – newest Beta... section.

7. Alternative Applications:

The Open Source application OpenConnect can also be used for Linux and Mac OS X. From Ubuntu Karmic (9.10), for example, this is also integrated in the Network Manager.

8. Information from Cisco: