Sunteți pe pagina 1din 8

Pocket Guide for AnyConnect* VPN

How to use and troubleshoot AnyConnect* VPN

Using AnyConnect* VPN product


The AnyConnect* VPN product consists of two building blocks: 1) Cisco AnyConnect* VPN client: Replaces Intel NetStructure VPN client. 2) Certificate-based user authentication with Remote Access password: Replaces RSA SoftID token. AnyConnect* VPN replaces only the above tools. Any other remote connectivity tool such as connection managers (iPass*), LAN and WLAN drivers will not be replaced. The AnyConnect* VPN client and certificatebased user authentication will work only from the public Internet (not from inside Intel campus or from Intel guest Internet access) and only after a valid IP is acquired by the LAN\WLAN network adapters. Launch AnyConnect* VPN Double-click the Cisco AnyConnect VPN Client icon on your desktop, or select from Start -> All Programs -> Cisco -> Cisco AnyConnect VPN Client

Get Connected After launching, AnyConnect will try to connect to the same tunnel from the last successful connection (After installation the default tunnel is Intel Network). Using the Intel Network tunnel is recommended because it load balances and connect you to the best tunnel location available from your location. When prompted for your remote access password, type it in the password field. Make sure your full Intel email address is listed in the username field and click the Connect button. If you are using the Intel network tunnel, and you would like to know the location to which you are connected, use the Connection Status utility available on the Cisco AnyConnect VPN Client folder. After you successfully connect to Intel, run the Connection Status utility, a pop-up screen with the current connected location will be shown. To manually connect to a specific location: o Disconnect by clicking the Disconnect button o Wait a couple of seconds for a proper tunnel closure o Select the location you want to connect to from the drop down box. o Click the Connect button The duration of an AnyConnect session is set to a maximum of two days after the connection established. This means that during this time your VPN connection will be maintained. When the session is expired you will need to reconnect and re-authenticate using your password again. During the connection process the Cisco AnyConnect* VPN client will automatically check for updates. If new VPN client software or new VPN client profiles are released they will be installed down-the-wire, keeping your client up-to-date.

Disconnect Auto-reconnect mode allows you to reconnect automatically to Intel once a public IP is identified. AnyConnect is switching to auto-reconnect mode when a connection is ungracefully disconnected (for example, machine is entered into suspend mode while the VPN is connected). In this mode AnyConnect will try to resume connection indefinitely. Once a public IP is identified the VPN connection will be resumed automatically. To disconnect, right-click on the AnyConnect icon on your system tray and select Disconnect.

The AnyConnect preferences Button

Connect On Start-Up if this option is checked and the client is launched, it will attempt to connect to the last location the user successfully connected to. If it is not checked, the user needs to manually click the Connect button (after selecting the desired location). Minimize on connect if this option is checked, once a connection has been established, the AnyConnect window will minimize itself to the system tray. If it is not checked, the window will remain maximized. Enable local LAN access (if configured) this option allows the client to communicate unencrypted only with devices on their local LAN. For example, a user who is connected from home is able to print to his home printer, but not access the Internet without first sending the traffic over the VPN tunnel. Note: When this option is checked, you cannot print or browse by name on the local LAN. However, you can browse or print by IP address. If this option is not checked, all traffic is encrypted and tunneled. Auto-reconnect if the network connectivity is disrupted or lost (or if the system goes into standby or hibernate), the AnyConnect client goes into reconnecting mode where it will automatically resume connectivity once the network becomes available again. If this option is not checked, the user has to manually reconnect by clicking the Connect button.

The AnyConnect Task bar icons

o o o o

Disconnected Connected Client executing the disconnection process Auto-reconnect mode (client will automatically resume connectivity when connected to the internet)

Troubleshooting
Getting Connection attempt has failed (timeout) or "Connection attempt has failed: Host is unreachable"? AnyConnect VPN client connection is based on DNS name rather than IP address while establishing connections. Potential scenarios which will cause failure to connect to Intel followed with Connection attempt has failed (timeout) or " Connection attempt has failed: Host is unreachable" error messages are: Failure to connect the internet from public internet (home, hotel, cafe, etc) Trying to connect from within an Intel campus Trying to connect from Intel guest network Follow the below procedure to resolve this connectivity issue. Important: AnyConnect* VPN will not work from within Intel campus (LAN or WLAN). Only use AnyConnect* VPN from a public internet. Step 1

Validate that you are not connected from within Intel campus (including guest network) and that you have internet connectivity. This can be done with opening a web browser and trying to reach http://www.intel.com While connected to the internet, validate that you are able to resolve DNS names. This can be done with the following steps: 1. Click Start -> Run -> type cmd -> press Enter. 2. Type nslookup scsfm.intel.com -> press Enter. 3. Validate that you are getting the following resolution 192.55.54.19

Failing to succeed in the above might indicate you have no valid

internet connection. If you have a valid internet connection: Manually choose the closest site to where you are currently located (Ex - AMR Folsom CA) from the Connect List and avoid using the Intel Network tunnel for this location.

How to change the remote access password Follow the below procedure to change your remote access password. This can be done while you are at an Intel campus or connected remotely over VPN. The new password will be valid from your next connection. Step 1 2

Browse to https://vpnpass.intel.com Login with username (e-mail address) and old remote access password.

Create a new remote access password and click Submit.

What happens if you forget your remote access password? Remote access password reset requires reset of the password on the backend by ISD. You will need to contact the Service Desk (ISD) for assistance.

Step # 1 Call ISD and indentify yourself by answering the BIO questions 2 ISD resets the remote access password and provides you with a temporary password 3 Browse to https://vpnpass.intel.com 4 Login with your username (e-mail address) and the temporary password

Create a new password and click Submit.

How to resolve remote access issues while away from an Intel campus The procedures below outline the different scenarios of supporting remote access issues when you are unable to visit an Intel site.

Certificate corrupted on machine


Step # Task 1 Call ISD and indentify yourself by answering the BIO questions 2 ISD grants you remote access remediation permissions. Youll need to wait ~10min for full replication. 3 Login to remediation tunnel with AnyConnect client. 4 Browse to http://pki.intel.com 5 Download a certificate by selecting Request a certificate Intel Remote Access Two. 6 Disconnect and run the following command from Start -> Run : del

C:\Documents and Settings\<idsid*>\Application Data\Cisco\Cisco AnyConnect VPN Client\ preferences.xml (In Vista: del C:\Users\<idsid*>\AppData\Roaming\Cisco\Cisco AnyConnect VPN Client\preferences.xml) * <idsid> = Enter your IDSID in this field instead ISD removes your remote access remediation permissions. Connect to Intel network tunnel.

7 8

VPN client corrupted on machine


Step # Task 1 Browse to remediation site and download AnyConnect VPN client (http://www.intel.com/emergency/it/VPN.htm) 2 Run the AnyConnect VPN client installer. 3 Disconnect and run the following command from Start -> Run : del C:\Documents and Settings\<idsid*>\Application Data\Cisco\Cisco AnyConnect VPN Client\ preferences.xml (In Vista: del C:\Users\<idsid*>\AppData\Roaming\Cisco\Cisco AnyConnect VPN Client\preferences.xml) * <idsid> = Enter your IDSID in this field instead Connect to Intel network tunnel.