cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
1
Helpful
1
Replies

AnyConnect and Compliance Module Versions (ISE vs Clients)

aputra
Level 1
Level 1

Hello Experts,

I recently encountered an issue with AnyConnect and Compliance Module upgrades.

We had ISE AnyConnect configured with 4.9 package and Compliance Module 4.3.1x.x with no options to defer either one.

Clients side were pre-deployed with AnyConnect 4.10 and Compliance Module 4.3.3x.x

The client then failed at Compliance Module download. We downgraded only the Compliance Module in the client side to 4.3.1x.x and it worked.

I read in another discussion that says Compliance Module in ISE needs to be the same as or higher than client side which explains why it worked after the downgrade since it matches ISE's.

However, it seems that for AnyConnect there is no problem if client version is higher. Is this a correct statement or am I missing something?

Thank you in advance,

Ario

 

1 Reply 1

Hi @aputra ,

 at Policy > Policy Elements > Results > Client Provisioning > Resources > select the Resource with Type = AgentConfig / AnyConnectionConfig.

The Deferred Updates options are: Allowed for AnyConnect Software & Allowed for Compliance Module, if set to YES, the End User can defer the update of AnyConnect & Compliance Module (respectively) as long as they already meet the minimum version in the Version Required option.

Remember that:

"...

  • The version of the AnyConnect package on the headend is compared to the version on the Client to determine if the software should be updated.

    • If the version of the AnyConnect package is older than the version on the Client, no software updates occur.

    • If the version of the AnyConnect package is the same as the version on the Client, only Software Modules that are configured for download on the headend and not present on the Client are downloaded and installed.

    • If the version of the AnyConnect package is newer than the version on the Client, Software Modules configured for download on the headend, as well as Software Modules already installed on the Client, are downloaded and installed.

..."

and

"...

  • Allow Compliance Module Updates From Any Server:

    • If this option is checked, the Compliance Module is updated when the Compliance Module on the headend is different than the one on the Client.

    • If this option is not checked, the Compliance Module is not updated.

..."

Please take a look at: Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.0, search for Authorized Server Update Policy Behavior and Unauthorized Server Update Policy Behavior.

 

Hope this helps !!!