Transcription

Release Notes for Cisco AnyConnect VPN Client,Release 2.3.nnnRevised: October 04, 2009, OL-18325-16IntroductionThese release notes are for the following Cisco AnyConnect VPN Client releases: 2.3.2016 2.3.254 2.3.185The AnyConnect client provides remote users with secure VPN connections to theCisco ASA 5500 Series Adaptive Security Appliance using the Secure Socket Layer (SSL) protocol andthe Datagram TLS (DTLS) protocol.The AnyConnect client provides remote end users running Microsoft Windows Vista, Windows Mobile,Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client,and supports applications and functions unavailable to a clientless, browser-based SSL VPN connection.In addition, the AnyConnect client supports connecting to IPv6 resources over an IPv4 network tunnel.This release supports the SSL and DTLS protocol. This release does not include IPsec support.The client can be loaded on the security appliance and automatically downloaded to remote users whenthey log in, or it can be manually installed as an application on PCs by a network administrator. Afterdownloading, it can automatically uninstall itself after the connection terminates, or it can remain on theremote PC for future SSL VPN connections.The client includes the ability to create user profiles that are displayed in the user interface and definethe names and addresses of host computers.These release notes describe new features, limitations and restrictions, open and resolved caveats, andrelated documentation. They also include procedures you should follow before loading this release. Thesection Usage Notes on page 47 describes interoperability considerations and other issues you should beaware of when installing and using the AnyConnect client. Read these release notes carefully prior toinstalling this software.Americas Headquarters:Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2009 Cisco Systems, Inc. All rights reserved.

ContentsContentsThis document includes the following sections: New Features on page 2 Feature Overview on page 10 System Requirements on page 12 Upgrading to AnyConnect Release 2.3 on page 17 Installation Notes on page 18 Usage Notes on page 47 Caveats on page 59 Notices/Licensing on page 66 Related Documentation on page 66New FeaturesThe following sections describe the new features in the 2.3 releases: New Features in Cisco AnyConnect VPN Client, Release 2.3.2016 New Features in Cisco AnyConnect VPN Client, Release 2.3.254 New Features in Cisco AnyConnect VPN Client, Release 2.3.185New Features in Cisco AnyConnect VPN Client, Release 2.3.2016AnyConnect VPN Client Release 2.3.2016 is primarily a quality improvement release; however, it doesinclude the following new features.Ignore ProxyThis feature lets you specify a policy in the AnyConnect profile to bypass the Internet Explorer proxyconfiguration settings on the user’s PC. It is useful when the proxy configuration prevents the user fromestablishing a tunnel from outside the corporate network.To enable Ignore Proxy, insert the following line into the ClientInitialization section of theAnyConnect profile (anyfilename.xml): ProxySettings IgnoreProxy /ProxySettings NoteAnyConnect currently supports only the IgnoreProxy setting; it does not support the Native and Overridesettings in the new ProxySettings section within the ClientInitialization section of the XML schema(AnyConnectProfile.xsd).Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnn2OL-18325-16

New FeaturesUsing PPP Exclusion to Support AnyConnect over L2TP or PPTPAnyConnect Release 2.3.2016 introduces support for the L2TP and PPTP tunneling protocols used byISPs in some countries, including Israel.To send traffic destined for the ASA over a PPP connection, AnyConnect uses the point-to-point adaptergenerated by the external tunnel. When establishing a VPN tunnel over a PPP connection, AnyConnectmust exclude traffic destined for the ASA from the tunneled traffic intended for destinations beyond theASA. To specify whether and how to determine the exclusion route, use the PPPExclusion configurationoption.The exclusion route appears as a non-secured route in the Route Details display of the AnyConnect GUI.The following sections describe how to set up PPP exclusion: Configuring PPP Exclusion Instructing Users to Override PPP ExclusionConfiguring PPP ExclusionBy default, PPP Exclusion is disabled. AnyConnect Release 2.3.2016 does not provide Profile Editorsupport for editing the PPP Exclusion settings. To enable PPP exclusion, insert the PPPExclusion lineshown below in bold into the ClientInitialization section of the AnyConnect profile(anyfilename.xml): AnyConnectProfile xmlns "http://schemas.xmlsoap.org/encoding/"xmlns:xsi emaLocation "http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd" ClientInitialization PPPExclusion UserControllable "true" Automatic /PPPExclusion /ClientInitialization ServerList HostEntry HostName DomainNameofASA /HostName HostAddress IPaddressOfASA /HostAddress /HostEntry /ServerList /AnyConnectProfile The PPPExclusion UserControllable value true lets users read and change the PPP exclusion settings. Ifyou want to prevent users from viewing and changing the PPP exclusion settings, change it to false.AnyConnect supports the following PPPExclusion values: Automatic—Enables PPP exclusion. AnyConnect automatically uses the IP address of the PPPserver. Instruct users to change the value only if automatic detection fails to get the IP address. Override—Also enables PPP exclusion. If automatic detection fails to get the IP address of the PPPserver, and the PPPExclusion UserControllable value is true, instruct users to follow the instructionsin the next section to use this setting. Disabled—Disables PPP exclusion by forwarding all client traffic through the VPN tunnel.To let users view and change the IP address of the security appliance used for PPP exclusion, add thePPPExclusionServerIP tag with its UserControllable value set to true, as shown in bold below: AnyConnectProfile xmlns "http://schemas.xmlsoap.org/encoding/"xmlns:xsi emaLocation "http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd" ClientInitialization PPPExclusion UserControllable "true" Automatic /PPPExclusion PPPExclusionServerIP UserControllable "true" /PPPExclusionServerIP Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnnOL-18325-163

New Features /ClientInitialization ServerList HostEntry HostName DomainNameofASA /HostName HostAddress IPaddressOfASA /HostAddress /HostEntry /ServerList /AnyConnectProfile Instructing Users to Override PPP ExclusionAnyConnect does not currently provide UI support for PPP exclusion. If automatic detection does notwork, and the PPPExclusion UserControllable value is true, instruct the user to manually override PPPexclusion, as follows:Step 1Use an editor such as Notepad to open the AnyConnect (anyfilename.xml) file.This file is on one of the following paths on the user’s computer: Windows: %LOCAL APPDATA%\Cisco\Cisco AnyConnect VPN Client\anyfilename.xml.For example,– Windows o AnyConnect VPNClient\anyfilename.xml– Windows XP—C:\Documents and Settings\All Users\Application Data\Cisco\CiscoAnyConnect VPN Client\Profile\anyfilename.xmlStep 2 Mac OS X: /Users/username/.anyconnect Linux: /home/username/.anyconnectInsert the PPPExclusion details under ControllablePreferences , while specifying the Overridevalue and the IP address of the PPP server. The address must be a well-formed IPv4 address. Forexample: AnyConnectPreferences ControllablePreferences PPPExclusion Override PPPExclusionServerIP 192.168.22.44 /PPPExclusionServerIP /PPPExclusion /ControllablePreferences /AnyConnectPreferences Step 3Save the file.Step 4Exit and restart AnyConnect.New Features in Cisco AnyConnect VPN Client, Release 2.3.254The AnyConnect client Release 2.3.1 includes one new feature and improvements to some existingfeatures, as well as resolving numerous open caveats: Windows users can now establish an AnyConnect session from a single Remote Desktop Protocol(RDP) session. In addition, the security appliance now issues a syslog message when an older Cisco VPN client ora non-Cisco client attempts a connection to the security appliance. This syslog message isconfigurable and is disabled by default.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnn4OL-18325-16

New Features This release includes new translation templates and a procedure for upgrading the AnyConnectclient. You can use the Java-based utility, Cisco AnyConnect Profile Editor - Beta, as an alternative to usingASDM to create AnyConnect profiles. After using it to create a profile, you can import it to the ASAfor pushing to clients. Click the AnyConnectProfileEditor.zip link adjacent to “2.3.0254” on theAnyConnect VPN Client Software Download page, download and extract the file, then see tf document for instructions.Allow AnyConnect Session from an RDP Session for Windows UsersSome customers require the ability to log on to a client PC using Windows Remote Desktop and createa VPN connection to a secure gateway from within the Remote Desktop (RDP) session. This new featureallows a VPN session to be established from an RDP session. A split tunneling VPN configuration isrequired for this to function correctly. For information about split tunneling, see Cisco ASDM UserGuide or Cisco ASA 5500 Series Command Line Configuration Guide Using the CLI.The default settings for this feature retain the existing functionality: namely, a locally logged-on usercan establish a VPN connection only when no other local user is logged in. The VPN connection isterminated when the user logs out, and additional local logons during a VPN connection result in theconnection being torn down. Remote logons and logoffs during a VPN connection are unrestricted.NoteWith this new feature, the AnyConnect client disconnects the VPN connection when the user whoestablished the VPN connection logs off. If the connection is established by a remote user, and thatremote user logs off, then the VPN connection is terminated.New preference settings in the AnyConnect profile dictate how Windows logons are treated atconnection establishment and during the connection. These preferences are configurable only by thenetwork administrator. They let customers configure the client to allow VPN connection establishmentfrom an RDP session. The end-user does not see any changes in the AnyConnect client GUI as a resultof this feature. Table 1 shows the new preferences.Table 1Windows Logon PreferencesPreference NamePossible Values (Defaults in oteUsersWindows Logon EnforcementThe WindowsLogonEnforcement preference setting determines the behavior of the AnyConnect clientwhen a user logs on to the client PC. The possible values for this preference setting are as follows: SingleLocalLogon—(Default) Allows only one local user to be logged on during the entire VPNconnection. This behavior is similar to, but not exactly the same as, the behavior in earlier releases.If more than one local user is logged on when the VPN connection is being established, theconnection is not allowed. If a second local user logs on during the VPN connection, then the VPNconnection is terminated.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnnOL-18325-165

New FeaturesWith this setting, a local user can establish a VPN connection while one or more remote users arelogged on to the client PC, but if the VPN connection is configured for all-or-nothing tunneling, thenthe remote logon is disconnected because of the resulting modifications of the client PC routingtable for the VPN connection. If the VPN connection is configured for split-tunneling, the remotelogon might or might not be disconnected, depending on the routing configuration for the VPNconnection. The SingleLocalLogin setting has no effect on remote user logons from the enterprisenetwork over the VPN connection. SingleLogon—Allows only one user to be logged on during the entire VPN connection. If more thanone user is logged on, either locally or remotely, when the VPN connection is being established, theconnection is not allowed. If a second user logs on, either locally or remotely, during the VPNconnection, the VPN connection is terminated.When you select the SingleLogon setting, no additional logons are allowed during the VPNconnection, so a remote logon over the VPN connection is not possible.Windows VPN EstablishmentThe WindowsVPNEstablishment preference setting determines the behavior of the AnyConnect clientwhen a user who is remotely logged on to the client PC establishes a VPN connection. The possiblevalues are: LocalUsersOnly—(Default) Prevents a remotely logged-on user from establishing a VPNconnection. This is the same functionality as in prior versions of the AnyConnect client. AllowRemoteUsers—Allows remote users to establish a VPN connection. However, if theconfigured VPN connection routing causes the remote user to become disconnected, the VPNconnection is terminated to allow the remote user to regain access to the client PC.Remote users must wait 90 seconds after VPN establishment if they want to disconnect their remotelogin session without causing the VPN connection to be terminated.On Vista, the WindowsVPNEstablishment profile setting is not currently enforced during Start BeforeLogon (SBL). The AnyConnect client does not determine whether the VPN connection is beingestablished by a remote user before logon; therefore, a remote user can establish a VPN connection viaSBL even when the WindowsVPNEstablishment setting is LocalUsersOnly. Previous versions ofAnyConnect also did not prevent this behavior.New Syslog Message for Older or Non-Cisco ClientsThe AnyConnect client, Releases higher than 2.3.0185, identifies itself as an official, proprietaryimplementation of the Cisco SSL tunneling protocol. You can configure the security appliance to issuea system log message when an unknown implementation attempts to connect. The message also appearswhen a version of the AnyConnect prior to 2.3.0185 or the legacy Cisco SSL VPN client connects.%hostname-6-722053: Group g User u IP ip Unknown client user-agent connectionWhere: g is the group-policy the user logged in on. u is the username of the user. ip is the public (i.e. Internet) IP address of the user. user-agent is the user agent string from the client, indicating the version of the client the user isusing.For example:Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnn6OL-18325-16

New Features%hostname-6-722053: Group webvpn User sales IP 1.2.3.4 Unknown client CiscoAnyConnect VPN Agent for Windows 2.3.0185 connectionThis syslog can occur when an older, or non-supported, SSL VPN client has connected to the securityappliance. Such clients include: Cisco SSL VPN Client (SVC). Cisco AnyConnect Client, Release 2.3.185 or earlier.This message has no effect on whether the connection succeeds.ConfigurationThis syslog is disabled by default. To enable this syslog on the console, do the following:hostname(config)# logging enablehostname(config)# logging class svc console warningTo change the severity of this syslog to notification (5), do the following:hostname(config)# logging message 722053 level notificationTo enable just this syslog, do the following:hostname(config)# logging enablehostname(config)# logging message 722053 level emergencieshostname(config)# logging class svc console emergenciesTranslation Templates and Upgrading the AnyConnect ClientOccasionally, we add new messages displayed to AnyConnect users that provide helpful informationabout the client connection. To enable translation of these new messages, we create new message stringsand include them in the translation template packaged with the latest client image. Therefore, if youupgrade to the latest available client, you also receive the template with the new messages. However, ifyou have created translation tables based on the template included with the previous client, the newmessages are not automatically displayed to remote users. You must merge the latest template with yourtranslation table.Convenient tools exist to help you merge the template and the translation table. The tools and procedureare covered in Cisco AnyConnect VPN Client Administrator Guide, Merging a Newer TranslationTemplate with your Translation Table, page 5-23.New Features in Cisco AnyConnect VPN Client, Release 2.3.185The AnyConnect client Release 2.3 focuses on providing an improved user experience. This releaseincludes the following new features: NoteAnyConnect support for the Windows Mobile OS touch-screen devices listed in “SystemRequirements” section on page 12 for VPN connections to Cisco Series 5500 Adaptive SecurityAppliances. Although AnyConnect 2.3 is designed for compatibility with Windows Mobile 6.1, 6.0and 5.0 Professional and Classic, Cisco supports only the devices it has specifically qualified andlisted in that section.Windows Mobile requires an AnyConnect for Mobile license and must have ASA Release 8.0.3or later running on the security appliance.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnnOL-18325-167

New Features Machine certificate access for authentication (standalone mode only). Any logged-in user on thesystem in standalone mode can have access to available machine certificates, as well as to usercertificates, for VPN authentication. The AnyConnect client for Windows Mobile requires that a security appliance mobile license beinstalled. If the correct license is not installed, end user receives an error message. Dynamic Updating of the user interface when changing groups. Enhancements to the management of user preferences, including a new profile template and morecustomizable attributes. New profile template with all the possible preferences and comments about their use under the ClientInitialization tag.– UseStartBeforeLogon: existed in 2.2 but now it can be made user controllable (visible in thepreferences dialog)– ShowPreConnectMessage: existed in 2.2The rest are all new preferences under ClientInitialization:– CertificateStoreOverride– CertificateStore– AutoConnectOnStart– MinimizeOnConnect– LocalLanAccess– AutoReconnect and its child element AutoReconnectBehavior– AutoUpdate– RSASecurIDIntegrationTable 2 shows the default values for these elements (if not found in the profile) and their possiblevalues.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnn8OL-18325-16

New FeaturesTable 2Default Values for Preferences ElementsPossible Values3UserControlAllowed4DefaultUserControl5 OS6falsetrue, falseNon/aAllfalseAllAll, Machine, UserNon/aAllfalsefalsetrue, falseNon/aAlltruetruetrue, falseYesTrueAllMinimizeOnConnecttruetruetrue, falseYesTrueAllLocalLanAccesstruefalsetrue, falseYesTrueAllfalsetruetrue, falseYesFalseAllfalseDisconnectOnSuspend ReconnectAfterResume YesDisconnectOnSuspendFalseWindowsPreference NamePreferenceAvailableby Default1 Default lseTruetrue, true, dows1. Preferences available by default are visible to the user and configurable even if there is no profile in the head end.2. The default value of a preference is used when its value is not defined in the profile.3. The value of a preference is defined in between the preference tags; for example, AutoUpdate true /AutoUpdate .4. Preferences that don’t allow user control cannot be made UserControllable; that is, even if they are defined as UserControllable ”true” in the profile, thisis ignored, and the default values are used.5. The user controllable attribute is defined inside the preference tags; for example, AutoUpdate UserControllable ”true” true /AutoUpdate . Its possiblevalues are “true” or “false”, and these determine which preferences are overridden by the anyfilename.xml file. This is an optional attribute, and if notdefined, the default value is used. Preferences made UserControllable ”true” in the profile are visible in the Preferences dialog.6. OS that supports these preferences.7. If you disable AutoConnectOnStart, the user must select an option in the Connect to drop-down list to establish an AnyConnect session. After the userdoes so, AnyConnect applies the settings of the AnyConnect client profile provided by that host8. See the note below to add the AutoReconnect preference.9. The AnyConnect client is compatible with RSA SecurID software versions 1.1 and higher. At the time of this release, RSA SecurID Software Token clientsoftware does not support Windows Vista and 64-bit systems.NoteAutoReconnect is a special type of preference, as it has a child preference. This is configured in theprofile as: AutoReconnect UserControllable ”true” true AutoReconnectBehaviorUserControllable ”true” ReconnectAfterResume /AutoReconnectBehavior /AutoReconnect Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnnOL-18325-169

Feature OverviewNoteWhere, if AutoReconnect is configured as Not UserControllable, then AutoReconnectBehavior is notUserControllable, even if the profile says it is. If AutoReconnect is UserControllable, thenAutoReconnectBehavior can be either UserControllable or not. Enhancements to Application Programming Interface (API), for customers who want to automate aVPN connection with the AnyConnect client from another application, including the following:– Preferences– Set tunnel-group methodThe API package contains documentation, source files, and library files to support a C interfacefor the Cisco AnyConnect VPN Client.There are libraries and example programs that can be usedfor building on Windows, Linux and MAC (10.4 or higher) platforms. The Makefiles (or projectfiles) for the Windows platform are also included. For other platforms, there is a platform specificscript showing how to compile the example code. Network administrators can link their application(GUI, CLI, or embedded application) with these files and libraries.Feature OverviewIn addition to the new features listed above, the Cisco AnyConnect VPN Client provides remote userswith secure VPN connections to the Cisco 5500 Series Adaptive Security Appliance.Additional features of the AnyConnect client include: Support for Start Before Logon for Windows Vista systems, in addition to other Windows operatingsystems. Extended customization and localization features—This version of the AnyConnect client includesenhanced customization features and language translation features. In previous versions, you couldcustomize client installations only on an individual PC basis. With this version, the securityappliance can customize the client as it downloads and installs the client on the remote PC. You canalso translate the client installer. These extended features include the following items:– Localized installs using localized MSI transforms (Windows only).– Custom MSI transforms (Windows only).– User-defined resource files.– Third-party GUI/CLI support.– Localization for Mac OS X 10.4 and 10.5. System tray in Windows systems now shows an icon when the AnyConnect client is reconnectingafter losing connectivity. Enhanced Network Mobility—A user can lose connectivity for an extended period of time and stillbe able to have the client automatically resume the connection, as long as the security appliance hasnot logged the session off. In addition, a VPN session can now be retained during ahibernate/standby condition. This does not require any configuration changes; it is automaticallyenabled. The VPN tunnel might be dropped if the hibernation/sleep time exceeds the idle connectiontimeout or session timeout configured on the security appliance. You can also restrict this feature bysetting the idle session timeout to a low value.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnn10OL-18325-16

Feature OverviewIn earlier versions, the tunnel would be automatically torn down when a system entered suspend orhibernate. For Windows Vista, please see the usage note on this topic “Network Subsystem onWindows Vista Might Become Unresponsive During Sleep/Resume Cycles or Other High-loadConditions (KB-952876)” section on page 51. Application Programming Interface (API), for customers who want to automate a VPN connectionwith the AnyConnect client from another application. Datagram Transport Layer Security (DTLS) with SSL connections—Avoids latency and bandwidthproblems associated with some SSL-only connections and improves the performance of real-timeapplications that are sensitive to packet delays. DTLS is a standards-based SSL protocol thatprovides a low-latency data path using UDP. For detailed information about DTLS, see RFC 4347(http://www.ietf.org/rfc/rfc4347.txt). Standalone Mode—Allows a Cisco AnyConnect VPN client to be established as a PC applicationwithout the need to use a web browser to establish a connection. Command Line Interface (CLI)—Provides direct access to client commands at the commandprompt. Microsoft Installer (MSI)—Gives Windows users a pre-install package option that providesinstallation, maintenance, and removal of AnyConnect client software on Windows systems. IPv6 VPN access—Allows access to IPv6 resources over a public IPv4 connection (Windows XPSP2, Windows Vista, Mac OSX, and Linux only). See the Usage Notes section for information aboutsetting up IPv6 access. Start Before Logon (SBL)—Allows for login scripts, password caching, drive mapping, and more,for Windows. Certificate-only authentication—Allows users to connect with digital certificate and not provide auser ID and password. Simultaneous AnyConnect client and clientless, browser-based connections. Compression—Increases the communications performance between the security appliance and theclient by reducing the size of the packets being transferred. Compression works only for TLS. Fallback from DTLS to TLS—Provides a way of falling back from DTLS to TLS if DTLS is nolonger working. Language Translation (localization)—Provides a way of implementing translation for user messagesthat appear on the client user interface. Dynamic Access Policies feature of the security appliance—Lets you configure authorization thataddresses the variables of multiple group membership and endpoint security for VPN connections. Cisco Secure Desktop (CSD) support—Validates the security of client computers requesting accessto your SSL VPN, helps ensure they remain secure while they are connected, and attempts to removetraces of the session after they disconnect. AnyConnect supports the Host Scan component of CiscoSecure Desktop on Windows XP and Windows 2000. Cisco Secure Desktop does not support theAnyConnect client within the Secure Desktop (Vault) on Windows Vista systems. Rekey—Provides the ability to renegotiate the key used to encrypt data packets throughout the lifeof the VPN connection.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnnOL-18325-1611

System RequirementsSystem RequirementsIf you are using Internet Explorer, use version 5.0, Service Pack 2 or later.AnyConnect does not support virtualization software, such as VMWare for any platform or ParallelsDesktop for Mac OS. Although initial testing suggests that AnyConnect 2.4 running over VMware orMicrosoft Virtual PC on Windows 7 will generally work, it has never been fully tested and is notguaranteed to be 100% reliable.AnyConnect does not support sessions with a security appliance running on the same subnet.Microsoft WindowsIf you are using Internet Explorer, use version 5.0, Service Pack 2 or later. For WebLaunch, use InternetExplorer 6.0 or Firefox 2.0 , and enable ActiveX or install Sun JRE 1.4 .Windows Versions Windows Vista—32- and 64-bit Microsoft Windows Vista SP2 or Vista Service Pack 1 withKB952876. Windows XP SP2 and SP3. Windows 2000 SP4.Windows Requirements Pentium class processor or greater. x64 or x86 processors on Windows XP and Windows Vista. 5 MB hard disk space. RAM:– 128 MB for Windows 2000.– 256 MB for Windows XP.– 512 MB for Windows Vista. Microsoft Installer, version 3.1.LinuxThe following sections show the Linux distributions and requirements.Linux DistributionsAnyConnect supports Linux Kernel releases 2.4 and 2.6 on 32-bit architectures, and 64-bit architecturesthat support biarch (that is, that run 32-bit code).The following Linux distributions follow the requirements and work with the AnyConnect Client: Ubuntu 7 and 8 (32-bit only). Red Hat Enterprise Linux 3 or 4. (As of publication, we have not tested AnyConnect with Red HatLinux 5. Fedora Core 4 through 9. To use Fedora 9 with the AnyConnect client, you must first install SunMicrosystems JRE, preferably JRE 6, Update 5 or higher.Release Notes for Cisco AnyConnect VPN Client, Release 2.3.nnn12OL-18325-16

System Requirements Slackware 11 or 12.1. openSuSE 10 or SuSE 10.1.Linux Requirements x86 instruction set. 32-bit or biarch 64-bit processor—standalone mode only; web-based install/connect is notsupported. 32 MB RAM. 20 MB hard disk space. Superuser privileges. libstdc users must have libstdc version 3.3.2 (libstdc .so.5) or higher, but below version 4. Firefox 2.0 or later with libnss3.so installed in /usr/local/lib, /usr/local/firefox/lib, or /usr/lib.Firefox must be installed in /usr/lib or /usr/local, or there must be a symbolic link in /usr/lib or/usr/local called firefox that points to

The AnyConnect client provides remote end users running Microsoft Windows Vista, Windows Mobile, Windows XP or Windows 2000, Linux, or Macintosh OS X, with the benefits of a Cisco SSL VPN client, and supports applications and functions unavailable to a client