Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2419
Views
5
Helpful
2
Replies

Anyconnect NAM + ISE Posture + VPN upgrade

matthias.motte
Level 1
Level 1

‎01-24-2021 01:36 PM - edited ‎01-24-2021 02:35 PM

Hi all,

 

I try to upgrade with Kace K1000 Anyconnect from 4.7 to 4.9. modules VPN + NAM + ISE Posture

 

We use this script :

rem # Install 3 packages

msiexec /package anyconnect-win-4.9.05042-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=0 /lvx* anyconnect-win-4.9.05042-core-vpn-predeploy-k9-install-1.log
msiexec /package anyconnect-win-4.9.05042-nam-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-4.9.05042-nam-predeploy-k9-install-1.log
msiexec /package anyconnect-win-4.9.05042-iseposture-predeploy-k9.msi /norestart /passive /lvx* anyconnect-win-4.9.05042-iseposture-predeploy-k9-install-1.log

rem # Reboot
shutdown /r /f /t 120 /d P:04:02

 

Installation is success on many computer but failed for other. We have from one of them NAM connection failed with certificate error.

%NAM-3-ERROR_MSG: %[tid=3948]: Server certificate chain invalid

The configuration is the same from v4.7 to v4.9

The certificat store is the same before and after

No change in ISE / Wireless Controler configuration.

 

The only error that I could link to upgrade is see in DART : anyconnect-nam-win-4.7.4056-k9-driver-64371912021.log

07:43:07.040: Uninstall CSCO_acnamfd
07:43:07.072: INetCfgClassSetup DeInstall failed; error 303139 (0x0004a023)
07:43:07.072: Error while uninstalling nam filter driver 303139 (0x0004a023)
07:43:07.088: Uninstall failed with status 0x0004A023 -- NETCFG_S_STILL_REFERENCED
07:43:07.088: acnaminstfd returned (4A023)

 

What we do not : uninstall before upgrade. Wait between upgrade of each modules.

Do I miss something on deployment process ?

 

If you have same issue how did you workaround or what is the good process step by step of a recommended upgrade by an enterprise software management system (SMS).

 

Thanks all.

Labels:
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎01-24-2021 10:27 PM

Hi,

I had something similar before (not due to certs but more driver errors). I
don't think there is a specific procedure for upgrade other than starting
with the core module. All the failures were related to the NAM module due
to different versions of network drivers. Ensure that the users are having
solid connectivity to the server. If you can upgrade the drivers before
starting this will be good to eliminate known bugs.

To restore the services, you need to uninstall AnyConnect all modules and
start with new installation. Such failures corrupted other modules and
reinstalling NAM only didn't work for some clients.

**** please remember to rate useful posts


0 Helpful

hashimwajid1
Level 3
Level 3
In response to Mohammed al Baqari

‎12-19-2021 03:55 AM

Hi Baqari,

 

I also need to upgrade NAM/Anyconnect/Compliance module in existing environment. Anyconnect not in used for VPN as its only used for local wired/wireless users Network Access and Posturing.

 

1- what should be best approach for this upgradation (I mean is there any specific order which I need to follow or I can go randomly)

2- should i upgrade via Client Provisioning policy (I mean create new CPP for Test AD group and under this new test Anyconnect configuration profile I'll call new NAM profile/new Compliance module/new AC package ? )

3- or do you think I can upgrade compliance module at any specific time but Anyconnect and NAM profile has to be upgraded simultaneously ?

4- or all can be upgrade by SCCM at same time?

 

this will be very helpful 

 

Thanks 

0 Helpful
Customers Also Viewed These Support Documents