06-24-2020 10:04 PM
06-25-2020 05:38 AM
09-01-2020 10:18 AM
Did this ever get resolved? Seeing the same thing on ISE 2.6 and AnyConnect 4.9.
-Are you attempting to rely on ISE CPP to update client software? -YES
-Under your AnyConnect Configuration that gets assigned to CPP result do you have a minimum software required under the deferral section? -NO
-On a machine facing the issue, check this path and let us know if you see anything in there: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader. - YES There is a downloader exe present here.
-Do you have applocker or any other software on your clients that may be preventing the executable from running? - NO
09-01-2020 11:24 AM
So my issue was attempting to provision/upgrade while connected to the VPN via the ISE CPP. Are you attempting to do the same while on an established VPN session? If you take a test client and view the event application logs for AnyConnect you will see some informational logs during the test/upgrade fail that state something along the lines of 'AnyConnect cannot perform the upgrade while connected to the VPN. Please contact your System Administrator'. The issue I had is that while you are on the VPN the upgrade is not going to work so to answer your question we are relying on other mechanisms. I spent a decent amount of time with TAC on this one, and they suggested possibly doing webdeploy via ASA, which will require additional config/testing. Lastly, I can tell you that while on wired/wireless on site (no VPN) the provision/upgrade works as expected. HTH!
04-21-2021 04:15 AM
Not sure if it helps you but I had the same issue with AnyConnect 4.9 and ISE 2.6. I tried various compliance modules that ISE had downloaded but they all failed with a message saying the installer file type is not recognised.
I checked the Cisco site to try to find a Windows version of the compliance module to try to install it manually and found that the ones I was trying to install via ISE weren't on the list of available downloads...so I changed the ISE config to use the latest that was on the Cisco download site (4.3.2099.614) and it worked first time via the ISE CPP.
Not sure if this is by design and some versions are known not to work so have been removed, or if it was just luck, but worth a try.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide