When You're Unaware of a Problem, You Could Be Missing More Than You Realize
Cisco AnyConnect 'Host Scan' Tech Tip
Cisco AnyConnect Secure Mobile client has a feature called Host Scan that has the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the computer it is running on. Many of our clients enable the Host Scan feature for base posture validation upon VPN client connections.
The Cisco ASA has a default data transfer limit of 200KByte that it governs from all AnyConnect clients. This data transfer for this situation would be the AnyConnect client uploading its Host Scan results information to the ASA.
If for any reason the AnyConnect VPN client exceeds this 200KB data transfer limit, then the AnyConnect client gets stuck in a circular loop constantly scanning - then attempting to upload - then failing.
Rinse and Repeat...you get the idea.
This unfortunately prevents the VPN tunnel from ever establishing, thus giving the AnyConnect user the experience of failing to connect.
We have found that the biggest culprit for exceeding the ASA default data transfer limit is a client computer with many certificates installed on it.
I had approximately 2.7MB of certificate data on my computer (clearly larger than the 200KB ASA data transfer limit).
Once I went through and deleted my old unused expired certificates, my AnyConnect VPN client transfer rate easily was successfully under the ASA 200KB default data transfer limitation.
It appears (after additional research) that Windows and Mac OS X operating systems can have this AnyConnect data transfer size issue if certain applications end up flooding the AnyConnect computer's certificate store with a large amount of certificates.
What is the recommended solution?
We have two recommendations to solve the above dilemma in which you may choose to do both together.
1. You can raise the default data transfer rate limit on the ASA appliances from 200KB to a larger amount (this will not involve touching remote computers).
Cisco ASA config snippet
2. You can coach help desks and users to delete unused certificates that are being collected in their operating certificate and stored over time.