You are configuring VPN access for Cisco AnyConnect clients. You finish the configuration by establishing a fail open policy.
Which of the following is true of AnyConnect clients that fail to establish a VPN session? (Select the best answer.)
- They are granted full access to the local network, but without security.
- They are granted full access to the local network, including security.
- They are denied full network access, except for local resources.
- They are denied full network access, including local resources.
Cisco AnyConnect clients that fail to establish a virtual private network (VPN) session under a fail open policy are granted full access to the local network, but without the security provided by the Cisco
AnyConnect VPN service. Connect failure policies are typically applied when the Cisco AnyConnect alwayson feature is configured. The alwayson feature enables Cisco AnyConnect clients to establish a VPN session automatically whenever the client detects that the host is connected to an untrusted network. For example, a laptop that is used both on a corporate LAN and for remote work might be configured to automatically connect to the corporate VPN whenever the laptop is not directly connected to the corporate LAN. However, any number of problems could prevent the client from actually establishing a connection to the VPN.
There are two types of connect failure policies that you can enable for Cisco AnyConnect alwayson clients. The fail open policy allows the client to complete a connection to the local network for access to the Internet or local resources. However, because a VPN session has not been established, the security of the AnyConnect device that is connected to the remote network could be compromised.
The fail closed policy, on the other hand, prevents all network access from the Cisco AnyConnect client except to local devices and devices that are available by using split tunneling. This extra layer of security could prevent the user from accessing the Internet and thus could compromise productivity if the user relies on Internet access to complete workrelated tasks. Because the fail closed policy is so restrictive, Cisco recommends implementing it by using a phased approach that includes initially implementing fail open and surveying user activity for AnyConnect issues that might prevent seamless connections.