iPad IPSEC Cisco client - Additional route issue

Have you tried connecting with the Cisco iOS app instead of using the native vpn connection, such as Cisco anyconnect? I don't know if these are all current, but here is a list of Cisco apps for the iphone/ipad. http://www.networkworld.com/community/blog/cisco-apps-iphone-and-ipad

same problem here with Mac, iPhone and iPad.

Avatar2000,

Are you using a Cisco ISR or Cisco ATA? For some reason the VPN routes work when I connect to an ATA but not when I connect to an ISR.

Yes I meant ASA. For some reason I had VOIP on my mind....😝

Dear Avatar 2000: Can you share with us the app name and provider information of the network troubleshooting app that you are using to test on the iPad? I have been looking for an app that would do that on the iPad. Unless you meant you used an app that makes use of the current network connectivity proving that the network is indeed working... Many thanks in advance!

AnyConnect runs on ISR routers too. For 870, 1800, 2800, 3800 there are free licenses included, and in fact there is no license enforcement though I'm not suggesting anything. For 890, 1900, 2900, and 3900 series there is license enforcement and ranges from $200 to several thousand depending on number of clients. Just Google the part numbers here to get an idea - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/prod_qa s0900aecd80323cba_ps5854_Products_Q_and_A_Item.html

BTW, the license cost for AnyConnect Essentials on the ASA is dirt cheap. $100 to 200 dollars for 250 - 750 licenses max of respective platform.

AnyConnect is a great client, and SSL makes sense over IPsec from a developer perspective. Licensing is all based on concurrent users. Don't assume because it is Cisco it costs a lot. AnyConnect is a great option, and works great on Macs, Win, Linux, and iOS. Sometime in the future I'd guess Apple would stop bundling IPsec with iOS.

I know you don't have an ASA, but I just want to be clear about the information you've given so no one is misled. The ASA5500-SSL-25 license is a premium license, and with that one gets:

Robust posture assessment capabilities protect the integrity of the corporate network by restricting VPN access based on an endpoint's security posture. Prior to establishing connectivity, a system may be validated for compliance with various antivirus, personal firewall, or antispyware products, and may undergo additional system checks. An advanced endpoint assessment option is available to automate the process of remediating out-of-compliance endpoint security applications.

If one didn't want all that then one wouldn't it, and I didn't. I bought an unlimited anyconnect essentials license and mobile option for my 5520 for no more than $250 USD for both, and unlimited on a 5520 means 250 users since that is the max it can handle. On the Cisco ISR G2 routers, they're quite expensive units and I think licensing is higher.

But as far as the main point of discussion here, the real issue is that though IPsec will be around for years to come in site-to-site and dmvpn scenarios, on clients it is another story especially mobile. Apple collaborated with Cisco on the IPsec client for iOS because of the complexity of IPsec clients and that it had to work to drive iOS acceptance. That it took Now that SSL VPN client software has matured, it is only a matter of time before Apple yanks IPsec VPN from iOS altogether, and I wouldn't be surprised if they aren't as speedy about fixing bugs in the iOS built-in client as they once may have been. SSL VPNs are lighter and easier to install on mobile clients and it is not in Apple or Cisco's interest to support IPsec on the client on all platforms indefinitely (Cisco only grudgingly added Win64 support somewhat recently). It isn't perfect, but installing the client is much easier for our users to do, doesn't require a reboot on Windows or pre-10.6 Macs, and it unifies the experience across all platforms. I'm not even one to jump on the "latest thing" bandwagon normally, but even at the higher ISR router cost to get SSL VPN I'd have done it just from a user support perspective alone. If you can eliminate client support costs then there is a cost savings to me and my users that I factor in.

I found the answer to why SSL VPN is higher for Cisco's ISR routers. They don't support anyconnect essentials on ISR. Interesting.

This is a public discussion, and so it encompasses more than your perspective. But as to your perspective thtat every feature get supported "100%", that isn't a widely shared perspective because it is impossible. If that were true for anything no feature would be more important than any other, not exactly a desirable situation. You've already spent "thousands of dollars" on Cisco gear when you could have had cheaper alternatives, so how you'll explain to your users why you won't now follow the manufacturers upgrade path that also happens to fix their problem because you personally don't benefit from said upgrade and are instead waiting for an undetermined amount of time for a fix that pleases you would be interesting.

I didn't summarize the main point. You're the one trying to do that. Among other things, you claimed anyconnect for ASA cost ~4000 AUD, but I know it is less just for SSL VPN because I bought an unlimited license for that for my ASA for less than $250 even including the mobile add-on needed for iOS. I don't really care if you support iOS or not. I just did it with ease, no disruption, and $250 because I decided a couple of years ago it was better to offload my vpn services onto a separate box to make sure their would be no disruption no matter what I wished to do. I added SSL VPN support while it was being used for IPsec VPN. I didn't buy a 5520, it is overkill for our VPN but I had a used one left over after we upgraded our main firewall so it could handle a larger internet pipe. If I'd had to buy an ASA for VPN, I'd have used a smaller and cheaper ASA (since I've never seen more than 10 concurrent vpn users) and those are surprisingly cheap from Cisco. Have you seen what an ASA 5505 costs? Have your clients told you they aren't willing to pay anything to SSL VPN, or are you making that decision for them since you don't wish to support iOS anyway? And I still don't see what is so great or desirable about a combined user-VPN termination point combined with routing to begin with.

Well, if you're lucky Apple will fix the problem sometime before they pull IPsec support entirely. For the sake of Apple's OS platform, given the future of IPsec mobile (and other) clents, and the leading network vendor's stance on it, I hope that bug isn't anywhere near the top of their list to fix.