Modern versions of OpenConnect can be built to use either the GnuTLS or OpenSSL for TLS, DTLS, and cryptographic primitives. Newer versions of Cisco's An圜onnect clients and servers support DTLS 1.2 in its standardized on-the-wire form ( RFC 6347), though they continue to use a non-standard mechanism (based on session resumption) for DTLS key exchange.
Because of this, it was difficult to make OpenConnect implement a Cisco-compatible version of DTLS without linking against OpenSSL.Įxplicit support for Cisco's non-standard version of DTLS was included in OpenSSL 0.9.8m (where it is known as DTLS1_BAD_VER) and then GnuTLS 3.2.1 (where it is known as GNUTLS_DTLS0_9). DTLS Ĭisco's proprietary An圜onnect clients and servers were originally built against a patched, 2007 release of OpenSSL 0.9.8f, which implemented a pre-release version of DTLS that was not compatible with DTLS 1.0 as standardized in RFC 4347. OpenConnect's implementation of the An圜onnect protocol is sufficiently complete that some of Cisco's own IP phone devices embed a very old release of OpenConnect (rather than Cisco's own proprietary software) in order to be able to connect to Cisco SSL VPNs. The DTLS protocol used by Cisco An圜onnect servers was based on a non-standard, pre-release draft of DTLS 1.0, until support for the DTLS 1.2 standard was added in 2018. Protocols Cisco An圜onnect Ĭisco An圜onnect VPNs utilize TLS to authenticate and configure routing, then DTLS to efficiently encrypt and transport the tunneled VPN traffic, and can fall back to TLS-based transport where firewalls block UDP-based traffic. Both OpenConnect and ocserv strive to maintain backwards-compatibility with Cisco An圜onnect servers and clients. OpenConnect and ocserv now implement an extended version of the An圜onnect VPN protocol, which has been proposed as an Internet Standard.
If you are now unable to access the switch thorugh the CNA, but you are able to ping it, upgrade the software version of your switch to the latest maintenance release.įor further assistance and support, please open a case with Cisco Technical Support.As of 2013, the OpenConnect project also offers an An圜onnect-compatible server, ocserv, and thus offers a full client-server VPN solution. With this, you should be able to access it ,and a new window displays a little drawing of a switch. (The IP address of the interface VLAN that is up/up in the output of the show ip interface brief command). If you are able to ping the switch but still cannot access it through the CNA, choose Connect To in the Connect window, and enter the IP address of the switch in the area next to Connect To.
As an alternative, connect the PC into a different port, in case the port is faulty. If the port is still showing down/down status, then check the cable or replace it with a good straight-through cable. Issue the show ip interface brief command. If any of them are up, then enter this interface and issue the shutdowncommand, followed by the no shutdown command.