Re: Anyconnect Upgrade - Phased Approach

Srinivasan Nagarajan · ‎07-15-2021

Hi Experts

We've Remote Access VPN configured on the ASA (9.8) which is authenticated and authorized by the ISE (2.6) with the posture enabled. Now we'd like to upgrade the Anyconnect (4.8) to 4.10 on the end-users PC.

Anyconnect images are being configured on the ASA as well as in the ISE (Client Provisioning Policy).

Changing the Image on ASA under Webvpn, believe would be performing upgrad for everyone. Considering the Pandemic, We'd like to upgrade the Anyconnect (in addition to DART) in a PHASED approach.

Can someone please assist, if Anyconnect upgrade can be done in a Phased approach and the method of doing it?

Thank you in advance.

Marvin Rhoads · ‎07-19-2021

When you upgrade from the ASA (or from ISE CPP), it applies to all users.

Only a separately managed software deployment (e.g., pushing using a product like SCCM or Landesk etc.) can target some clients and not others.

For my customers who don't have a separate product or system to deploy software, I recommend a manual install on a few representative systems to assuage their concerns. 98%+ of the time an AnyConnect upgrade doesn't cause any issues.

Srinivasan Nagarajan · ‎07-19-2021

Thanks @Marvin Rhoads for taking your time in replying to this.

I'm planning to install via SCCM by leveraging other conditions (AD groups) on ISE to control the Anyconnect upgrade to a set of users and not for everyone.

So those specific AD group users would be installed with the AC-4.10 (new) and rest all fallback users would continue authenticating via AC-4.8 (existing)

As ASA is the head end device and ISE is residing behind the ASA, not sure whether this would work?

If yes, what would be the OS order (for Windows) on ASA to accommodate both the 4.8 and 4.10 for the phased approach?

Can you please assist? Thanks in advance.