Which of the following is true of AnyConnect clients th…

You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail
open policy.
Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best
answer.)

You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail
open policy.
Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best
answer.)

A.
They are granted full access to the local network, but without security.

B.
They are granted full access to the local network, including security.

C.
They are denied full network access, except for local resources.

D.
They are denied full network access, including local resources.

Explanation:
Cisco AnyConnect clients that fail to establish a virtual private network (VPN) session under a fail open policy
are granted full access to the local network, but without the security provided by the Cisco
AnyConnect VPN service. Connect failure policies are typically applied when the Cisco AnyConnect alwayson
feature is configured. The alwayson feature enables Cisco AnyConnect clients to establish a VPN session
automatically whenever the client detects that the host is connected to an untrusted network. For example, a
laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect
to the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number
of problems could prevent the client from actually establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect alwayson clients. The
fail open policy allows the client to complete a connection to the local network for access to the Internet or local
resources. However, because a VPN session has not been established, the security of the AnyConnect device
that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except
to local devices and devices that are available by using split tunneling. This extra layer of security could prevent
the user from accessing the Internet and thus could compromise productivity if the user relies on Internet
access to complete workrelated tasks. Because the fail closed policy is so restrictive, Cisco recommends
implementing it by using a phased approach that includes initially implementing fail open and surveying user
activity for AnyConnect issues that might prevent seamless connections.
Cisco: Configuring VPN Access: Connect Failure Policy for Alwayson VPN



Leave a Reply 0

Your email address will not be published. Required fields are marked *