Getting started with the Cisco AnyConnect VPN Client
Check to see that you are eligible to use the VPN Service
To verify your eligibility for using the Campus VPN service (and other CalNet-authenticated network services), please visit the Network Service Eligibility Report page.
Getting the Software
The AnyConnect VPN Client versions are available here:
When prompted, use your CalNet ID and passphrase to access and save the software package.
More Software Options
- Release Notes for Cisco AnyConnect Secure Mobility Client 2.4 for Android
- Cisco AnyConnect Secure Mobility Client for iPhone and iPad (from the Apple iTunes site)
- Windows troubleshooting tool (DART) (When prompted, use your CalNet ID and passphrase for access.)
- An AnyConnect-compatible alternative for Linux/FreeBSD: Using OpenConnect and Network Manager with UC Berkeley's VPN Service
- To use the OpenConnect port on PC-BSD/FreeBSD, follow the Getting started instructions on the main OpenConnect web site using https://ucbvpn.berkeley.edu as the target server. This has been found to work on PC-BSD 8.x, 9.0 and on FreeBSD 8.x-RELEASE, 9.0-CURRENT.
- Access the 3.0.08057 release files (current version); Release Notes; Admin Guide (When prompted, use your CalNet ID and passphrase for access. For best results, remove any prior Cisco AnyConnect client version before installing a new release version.)
- Access the 3.1.03103 release files (for early adopters and testers); Release Notes; Admin Guide (When prompted, use your CalNet ID and passphrase for access. For best results, remove any prior Cisco AnyConnect client version before installing a new release version.)
Installation and Configuration
Run the downloaded package file to install the VPN client software. The Start before login GINA module for Windows is only needed if you want to establish a VPN session before logging in to your Windows desktop, so that campus resources such as CalNetAD are available at login.
- To configure for the campus VPN service, after you've installed the AnyConnect client, run it to open its main window. On the Connection tab, in the field marked Connect to: enter ucbvpn.berkeley.edu as the hostname. Note: This hostname differs from the hostname used for the previously offered VPN service; please check carefully that you are entering the correct name here. Host based security software may need to be adjusted for the new VPN software client. For example, older versions of the campus distributed Symantec Client Security software must be configured to trust the campus VPN concentrator; see more below.
- After you type in the hostname, click the Connect button if necessary to display the Group menu along with prompts for Username and Password. Choose from the 1-Campus_VPN, 2-Campus_VPN_Full_Tunnel, or 3-Library_VPN groups. IPv6-enabled versions of the first two options are also available for use with IPv6 destinations. (For information on what these terms mean, please see the Campus VPN Service page.) Enter your CalNet ID and passphrase, then click the Connect button to log into the VPN. Once you've logged in, make sure you're still able to access the Internet.
- If you are using the Symantec Client Security (SCS) security suite and have not upgraded to a recent version, you may need to add the hostname ucbvpn.berkeley.edu as a trusted network address and explicitly to permit the vpnagent.exe program to make a network connection. This is not necessary for the newer Symantec Endpoint Protection (SEP) security suite which replaces SCS.
- If you're accessing resources protected by a firewall that restricts access by IP address, you may need to modify (or request a modification to) the firewall rules to allow access via the VPN. The IPv4 subnet for the full-tunnel VPN is 220.127.116.11/23 and the IPv4 subnet for the split-tunnel VPN is 10.136.0.0/23. For the IPv6 Full Tunnel: 2607:f140:800:80::10 - 2607:f140:800:80::2f9. See the Campus VPN Service link below for current information.
- A workaround exists for using the VPN client with OpenAFS on Windows: Use the 2-Campus_VPN_Full_Tunnel profile rather than the 1-Campus_VPN one, or, if using the 1-Campus_VPN profile, change the static IP address for the Microsoft Loopback adapter to, for example, 10.15.254.253 instead of 10.254.254.253 since the latter IP address overlaps with one of the RFC1918 networks defined by the new split tunnel profile.
- Documentation for using Library resources via the campus VPN is available: VPN (Virtual Private Network)
- Cisco AnyConnect VPN Client Release Notes
- Cisco AnyConnect Secure Mobility Client Release Notes
- Cisco AnyConnect VPN Client Documentation
- Cisco AnyConnect Secure Mobility Client Documentation
- Cisco AnyConnect Secure Mobility Client VPN User Messages, Release 3.0
- AnyConnect VPN Client Troubleshooting Tech Note
- Campus VPN Service
- You may find the client option to Enable local LAN access (if configured)
useful for accessing devices on your local network such as a printer.
We have reports that this setting has helped to allow proper general
operation in some cases, so it may also be worth trying if you are
having trouble using the VPN after the typical local firewall-related
issues have been eliminated from consideration. Find this option (except
on Mac OS X) on the Advanced.../Preferences tab, (on versions 2.x, this option is found by using the Preferences button to the right of the Connect to: field on the Connection tab):
On Mac OS X, select the Cisco AnyConnect VPN Client/Preferences menu.
- For version 3.x of the AnyConnect Secure Mobility Client for Windows, if the optional Start Before Logon (SBL) feature is not working for you, try adding the example profile file example_sbl_profile.xml from the Attachments to this article into the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile directory (this location is for Windows 7; see the Cisco documentation for the default profile directory locations for other Windows OSes), or edit any existing profile file there as in the provided example. In some cases, removing then reinstalling the SBL module (using the anyconnect-gina-win-3.x-pre-deploy-k9.msi file), or the Secure Mobility Client, or both, (and always installing the SBL module last) may be needed in addition to the client profile file which enables the SBL feature.