Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8721
Views
31
Helpful
17
Replies

Anyconnect upgrade via ISE

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎05-19-2021 11:18 AM - edited ‎05-19-2021 12:37 PM

Hi Experts

We've Remote Access VPN configured on the ASA (9.8) which is authenticated and authorized by the ISE (2.6) with the posture enabled. Now we'd like to upgrade the Anyconnect (4.8) to 4.10 on the end-users PC.

1.Whether users can download or upgrade with the Anyconnect automatically when connecting to the VPN or does it need to pushed via SCCM?

2. If yes, do they require Admin privileges for the upgrade to happen?

3. I've seen the current Anyconnect image is being uploaded to the ASA as well as to the ISE. Why we need to upload on both the devices? 

4. Which device is the Head-end here. Is it ASA or ISE?

Thanks in advance

 

0 Helpful
17 Replies 17

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-21-2021 04:16 AM

Yes, your option is another way to accomplish the same end goal.  In your scenario you would be migrating AD users between the two.  If you wish to not move users in AD then you have the option I provided.  

On ISE:-

Upload the new image and create a new AC configuration (no software deferral)

--If using your method, yes.  If using my suggested method you need to allow software deferral automatically

On ASA:-

anyconnect image disk0:/anyconnect-win-4.9.05042-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.10.00093-webdeploy-k9.pkg 2

--Correct, until you are ready to force ASA webdeploy upgrades.

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Mike.Cifelli

‎05-21-2021 07:59 AM - edited ‎05-21-2021 08:00 AM

thanks for the assistance. Much appreciated

Final one on this thread, what if we force the upgrade to everyone by changing the path in ASA. Considering 1500 users are there, will there be any latency on the ASA/ISE? Will it be able to support the traffic load?

ASA is 5555 model and ISE is small license virtual box

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎05-21-2021 08:16 AM

Final one on this thread, what if we force the upgrade to everyone by changing the path in ASA. Considering 1500 users are there, will there be any latency on the ASA/ISE? Will it be able to support the traffic load?

-You should be totally fine for two reasons:

1. Not all clients will VPN at the exact same point in time, and changing the order does not force already connected clients to upgrade.  It is on the next connection they will upgrade.

2. The upgrade is not performed from ASA-->Client.  The vpndownloader.exe will download the package from the ASA to the client and then the upgrade will be performed locally on each client.

This breaks down the AnyConnect piece: Understanding ASA AnyConnect Webdeploy (learnitwithcifelli.com)

HTH!

Customers Also Viewed These Support Documents