12-14-2021 11:24 AM
I have tried to find an answer to my issue but have failed to do so.
Originally I had Anyconnect 4.9.06037 installed and working fine on my system.
I am setting up ISE Posture for a client for the first time. This is for an FTD deployment but I don't think that part is relevant.
I configured all the required items on ISE and in the FMC and deployed the configuration to the FTD.
Upon first connection to the FTD the expected behavior occurred. Opening a browser I was redirected to the provisioning portal and displayed the start button. After the 10 second countdown as expected, it failed to detect the compliance module and thus I was directed to download and install the module. In this case the latest was provisioned on ISE. (4.3.2503.6145). My workstation went through the install process, but the module was not detected by the script. I disconnected and reconnected and was directed through the same process. There was no compliance module tagged onto the bottom of the Anyconnect window either. Looking through services I did not see the service running.
I then decided to direct install the module after downloading from software downloads. First it complained that the same version was already installed. After uninstalling and reinstalling I got the same result. Service not running, nothing tagged onto the Anyconnect window. My version was 4.9.06037, installed from a .pkg file on our company ASA head end.
Well ok, I bite the bullet and downloaded the only available version from software download of Anyconnect. 4.10.04065.
Tried to install the ISE Posture module from the zip file and it complained about my installed version of Anyconnect. I had to install Anyconnect 4.10.04065 first. I did that and then installed the posture module. After that everything looks normal. Service is running and System Scan module is tagged onto the bottom of the Anyconnect window. I connected to the FTD and the scan ran, giving me access to the network as expected.
There is my story.
If anyone has any insight into this issue I would love to hear from you.
Customer desires to use a slightly older version than I had 4.9.0.00086. I will test with their system sometime soon to see if the behavior is with my machine or some interaction with the existing Anyconnect install that is failing.
Thanks.
12-15-2021 05:36 AM
Sharing some info/answering a few of your concerns:
After the 10 second countdown as expected, it failed to detect the compliance module and thus I was directed to download and install the module. In this case the latest was provisioned on ISE. (4.3.2503.6145).
-Sounds like normal behavior based on how you have ISE CPP and onboarding setup for the environment.
Service not running, nothing tagged onto the Anyconnect window. My version was 4.9.06037, installed from a .pkg file on our company ASA head end.
-I would strive to upgrade all clients via the ASA webdeploy method since you seem to have the working already.
Tried to install the ISE Posture module from the zip file and it complained about my installed version of Anyconnect. I had to install Anyconnect 4.10.04065 first. I did that and then installed the posture module.
-Normal behavior and expected.
Customer desires to use a slightly older version than I had 4.9.0.00086.
-I would strongly advise the customer to run a later version of AC. That version is old and there are several security advisories against it.
Take a look at the following:
Cisco AnyConnect ISE Posture Windows Support Charts for Compliance Module v4.3.2503.6145 - Cisco
Cisco AnyConnect Secure Mobility Client - Security Advisories, Responses and Notices - Cisco
HTH!
12-15-2021 07:09 AM
Thanks, that info is not really helpful.
Over the next few days I am going to try several permutations of this.
So far anyconnect-win-4.3.2503.6145-isecompliance-predeploy-k9.msi or the .pkg file on ISE will not install properly on either 4.10.04065 or 4.9.06037 client. It shows up in the App & Features list and the Programs and Features from the control panel but the service is not present in Services.
This module anyconnect-win-4.10.04065-iseposture-predeploy-k9.msi is successful to install on 4.10.04065.
The underlying version in the 4.10 msi file is still 4.3.2503.6145.
The anyconnect module on ISE is also 4.9.0.00086. I will be discussing with the client about the version they desire to use. They made me aware that this version also has issues with auto upgrade from ASA. Not sure what version most of their client base is.
Stay tuned as I work through this. For me the easiest approach is to use the available version
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide