Cisco AnyConnect Secure Mobility Client, Release 4.4.04030
This page includes information for Windows, Mac & Linux Installations
AnyConnect Supported Operating Systems
Cisco AnyConnect Secure Mobility Client supports the following operating systems
|Supported Operating Systems||VPN Client|
|Windows 7, 8, 8.1, 10, & 10 RS2
Windows 7 SP1, 8, 8.1 & 10
x86(32-bit) and x64(64-bit)
|Mac OS X 10.10, 10.11, and 10.12||Yes|
|Linux Red Hat 6, 7 & Ubuntu 12.04 (LTS), 14.04 (LTS), and 16.04 (LTS) (64-bit only)||Yes|
Note: Although versions other than those listed above may work, Cisco has not performed full testing on any version other than those listed.
Cisco AnyConnect installations can coexist with other VPN clients, including IPsec clients, on all supported endpoints; however, we do not support running AnyConnect while other VPN clients are running.
Cisco AnyConnect Virtual Environment
Cisco performs a portion of AnyConnect client testing using these virtual machine environments:
- VMWare ESXi Hypervisor (vSphere) 4.0.1 and later
- VMWare Fusion 2.x, 3.x, and 4.x
We do not support running AnyConnect in virtual environments; however, we expect AnyConnect to function properly in the VMWare environments we test in.
If you encounter any issues with AnyConnect in your virtual environment, report them. We will make our best effort to resolve them.
AnyConnect Support for Microsoft Windows
- Pentium class processor or greater.
- 100 MB hard disk space.
- Microsoft Installer, version 3.1.
- Upgrading to Windows 8.1 from any previous Windows release requires you to uninstall AnyConnect, and reinstall it after your Windows upgrade is complete.
- Upgrading from Windows XP to any later Windows release requires a clean install since the Cisco AnyConnect Virtual Adapter is not preserved during the upgrade. Manually uninstall AnyConnect, upgrade Windows, then reinstall AnyConnect manually or via WebLaunch.
- To start AnyConnect with WebLaunch, you must use the 32-bit version of Firefox 3.0+ and enable ActiveX or install Sun JRE 1.4+.
- AnyConnect is not supported on Windows RT. There are no APIs provided in the operating system to implement this functionality. Cisco has an open request with Microsoft on this topic. Those who want this functionality should contact Microsoft to express their interest.
- Other third-party product’s incompatibility with Windows 8 prevent AnyConnect from establishing a VPN connection over wireless networks. Here are two examples of this problem:
- WinPcap service “Remote Packet Capture Protocol v.0 (experimental)” distributed with Wireshark does not support Windows 8.
- To work around this problem, uninstall Wireshark or disable the WinPcap service, reboot your Windows 8 computer, and attempt the AnyConnect connection again.
- Outdated wireless cards or wireless card drivers that do not support Windows 8 prevent AnyConnect from establishing a VPN connection.
- To work around this problem, make sure you have the latest wireless network cards or drivers that support Windows 8 installed on your Windows 8 computer.
- AnyConnect is not integrated with the new UI framework, known as the Metro design language, that is deployed on Windows 8; however, AnyConnect does run on Windows 8 in desktop mode.
- HP Protect tools do not work with AnyConnect on Windows 8.x.
- Windows 2008 is not supported; however, we do not prevent the installation of AnyConnect on this OS. Also, Windows Server 2008 R2 requires the optional SysWow64 component
- Verify that the driver on the client system is supported by Windows 7 or 8. Drivers that are not supported may have intermittent connection problems.
- If you intend to upgrade your Windows installation, manually uninstall AnyConnect first. After the upgrade, reinstall it manually or by establishing a web-based connection to vpn.warwick.ac.uk to install it. Uninstalling before the upgrade and reinstalling AnyConnect afterwards is necessary because the upgrade does not preserve the Cisco AnyConnect Virtual Adapter.
- On Windows 8, the Export Stats button on the Preferences > VPN > Statistics tab saves the file on the desktop. In other versions of Windows, the user is asked where to save the file.
- AnyConnect VPN is compatible with 3G data cards which interface with Windows 7 or later via a WWAN adapter.
Web-based Installation May Fail on 64-bit Windows
This issue applies to Internet Explorer versions 10 and 11, on Windows versions 7 and 8.
When the Windows registry entry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth is set to 0, Active X has problems during AnyConnect web deployment.
See http://support.microsoft.com/kb/2716529 for more information.
The solution to is to:
- Run a 32-bit version of Internet Explorer.
- Edit the registry entry to a non-zero value, or remove that value from the registry.
Note: On Windows 8, starting Internet Explorer from the Windows start screen runs the 64-bit version. Starting from the desktop runs the 32-bit version.
AnyConnect Compatibility with Microsoft Windows 10
AnyConnect 4.1MR4(4.1.04011) and later are compatible with Windows 10 official release. Technical Assistance Center (TAC) support is available beginning on 7/29/2015.
For best results, we recommend a clean install of AnyConnect on a Windows 10 system and not an upgrade from Windows 7/8/8.1. If you are planning to perform an upgrade from Windows 7/8/8.1 with AnyConnect pre-installed, make sure that you first upgrade AnyConnect prior to uprading the operating system. You may also choose to fully uninstall AnyConnect and re-install one of the supported versions after upgrading to Windows 10.
Microsoft Phasing out SHA-1 Support
- A secure gateway with a SHA-1 certificate or a certificate with SHA-1 intermediate certificates may no longer be considered valid by a Windows Internet Explorer 11 / Edge browser or a Windows AnyConnect endpoint after February 14, 2017. After February 14, 2017, Windows endpoints may no longer consider a secure gateway with a SHA-1 certificate or intermediate certificate as trusted. We highly recommend that your secure gateway does not have a SHA-1 identity certificate and that any intermediate certificates are not SHA-1.
- Microsoft has made modifications to their original plan of record and timing. They have published details for how to test whether your environment will be impacted by their February 2017 changes. Cisco is not able to make any guarantees of correct AnyConnect operation for customers with SHA-1 secure gateway or intermediate certificates or running old versions of AnyConnect.
- Cisco highly recommends that customers stay up to date with the current maintenance release of AnyConnect in order to ensure that they have all available fixes in place. The most up-to-date version of AnyConnect 4.x and beyond are available Cisco.com Software Center for customers with active AnyConnect Plus, Apex, and VPN Only terms/contracts. AnyConnect Version 3.x is no longer actively maintained and should no longer be used for any deployments.
Note: Cisco has validated that AnyConnect 4.3 and 4.4 (and beyond) releases will continue to operate correctly as Microsoft further phases out SHA-1. Long term, Microsoft intends to distrust SHA-1 throughout Windws in all contexts, but their current advisory does not provide any specifics or timing on this. Depending on the exact date of that deprecation, many earlier versions of AnyConnect may no longer operate at any time. Refer to Microsoft's advisory for further information.
WebLaunch Issues With Safari
There is an issue with Weblaunch with Safari. The default security settings in the version of Safari that comes with OS X 10.9 (Mavericks) prevents AnyConnect Weblaunch from working. To configure Safari to allow Weblaunch, edit the URL of the ASA to Unsafe Mode, as described below.
- Open Safari > Preferences > Security > Manage Website Settings.
- Click on the ASA and select run in Unsafe Mode.
Active X Upgrade Can Disable Weblaunch
Automatic upgrades of AnyConnect software via WebLaunch will work with limited user accounts as long as there are no changes required for the ActiveX control.
Occasionally, the control will change due to either a security fix or the addition of new functionality.
Should the control require an upgrade when invoked from a limited user account, the administrator must deploy the control using the AnyConnect pre-installer, SMS, GPO or other administrative deployment methodology.
Java 7 Issues
Java 7 can cause problems with AnyConnect Secure Mobility Client, Hostscan, CSD and Clientless SSL VPN (WebVPN). A description of the issues and workarounds is provide in the Troubleshooting Technote Java 7 Issues with AnyConnect, CSD/Hostscan, and WebVPN - Troubleshooting Guide, which is in Cisco documentation under Security > Cisco Hostscan.
Firefox Certificate Store on Mac OS X is Not Supported
The Firefox certificate store on Mac OS X is stored with permissions that allow any user to alter the contents of the store, which allows unauthorized users or processes to add an illegitimate CA into the trusted root store. Anyconnect no longer utilizes the Firefox store for either server validation or client certificates.
Full Authentication Required if Roaming between Access Points
A mobile endpoint running Windows 7 or later must do a full EAP authentication instead of leveraging the quicker PMKID reassociation when the client roams between access points on the same network. Consequently, in some cases, AnyConnect prompts the user to enter credentials for every full authentication if the active profile requires it.
Using the Windows 7 or later Wireless Hosted Network feature can make AnyConnect unstable. When using AnyConnect, we do not recommend enabling this feature or running front-end applications that enable it (such as Connectify or Virtual Router).
AnyConnect Support for Linux
- x86 instruction set.
- 64-bit processor.
- 32 MB RAM.
- 20 MB hard disk space.
- Dependency on network-manager and libnm library to support NVM.
- Superuser privileges are required for installation.
- libstdc++ users must have libstdc++.so.6(GLIBCXX_3.4) or higher, but below version 4.
- Java 5 (1.5) or later. The only version that works for web installation is Sun Java. You must install Sun Java and configure your browser to use that instead of the default package.
- zlib - to support SSL deflate compression
- xterm - only required if you're doing initial deployment of AnyConnect via Weblaunch from ASA clientless portal.
- gtk 2.0.0.
- gdk 2.0.0.
- libpango 1.0.
- iptables 1.2.7a or later.
- tun module supplied with kernel 2.4.21 or 2.6.
AnyConnect Support for Mac
AnyConnect requires 50MB of hard disk space.
To operate correctly with Mac, AnyConnect requires a minimum display resolution of 1024 by 640 pixels.
- Mac App Store
- Mac App Store and identified developers
The default setting is Mac App Store and identified developers (signed applications). AnyConnect release 3.1 is a signed application, but it is not signed using an Apple certificate. This means that you must either select the Anywhere setting or use Control-click to bypass the selected setting to install and run AnyConnect from a pre-deploy installation.
Users who web deploy or who already have AnyConnect installed are not impacted. For further information see: http://www.apple.com/macosx/mountain-lion/security.html
Note: Web launch or OS upgrades (for example 10.7 to 10.8) install as expected. Only the pre-deploy installation requires additional configuration as a result of Gatekeeper.
AnyConnect macOS 10.13 (High Sierra) Compatibility
The recommended version of AnyConnect for macOS 10.13 (High Sierra) is AnyConnect 4.5.02XXX and above.
AnyConnect 4.5.02XXX and above has additional functionality and warnings to guide users through the steps needed to leverage AnyConnect’s complete capabilities, by enabling the AnyConnect software extension in their macOS Preferences -> Security & Privacy pane. The requirement to manually enable the software extension is a new operating system requirement in macOS 10.13 (High Sierra). Additionally, if AnyConnect is upgraded to 4.5.02XXX and above before a user’s system is upgraded to macOS 10.13 or later, the user will automatically have the AnyConnect software extension enabled.
Users running macOS 10.13 (High Sierra) with a version of AnyConnect earlier than 4.5.02XXX must enable the AnyConnect software extension in their macOS Preferences -> Security & Privacy pane. Although AnyConnect 4.4.04030 and 4.5.01044 have been tested to work with macOS 10.13 (High Sierra), those users will not have the additional functionality and warning guidance added to AnyConnect 4.5.02XXX. You may need to manually reboot after enabling the extension prior to AnyConnect 4.5.02xxx.
As described in https://support.apple.com/en-gb/HT208019, macOS system administrators potentially have additional capabilities to disable User Approved Kernel Extension Loading, which would be effective with any currently supported version of AnyConnect.
AnyConnect Support on Mac OS X El Capitan 10.11
The Cisco AnyConnect Secure Mobility Client is supported on the Mac OS X El Capitan 10.11 operating system.
Using the Manual Install Option on Mac OS X if the Java Installer Fails
If users WebLaunch from the ASA headend to start AnyConnect on a Mac, and the Java installer fails, a dialog box presents a Manual Install link. Users should do the following when this happens:
- Click Manual Install. A dialog box presents the option to save a .dmg file that contains an OS X installer.
- Mount the disk image (.dmg) file by opening it and browsing to the mounted volume using Finder.
- Open a Terminal window and use the CD command to navigate to the directory containing the file saved. Open the .dmg file and run the installer.
- Following the installation, choose Applications > Cisco > Cisco AnyConnect Secure Mobility Client to initiate an AnyConnect session, or use Launchpad.