11-03-2017 05:48 AM - edited 02-21-2020 10:37 AM
05-09-2018 08:18 AM
Did you ever figure out a solution to this? We recently created a 4.6 package in ISE for Macs and even if I set the minimum required version in ISE to 0.0.0 it still prompts the user to update or defer. If you click update it immediately gives the message "automatic software updates are required but cannot be performed while the vpn tunnel is established" and then posture has a red X over it and are in the posture unknown state. If you click defer a couple of times then you get connected.
05-25-2018 08:28 AM
I had the same issue with a similar set up. The outside user (and me as a test outside) had a older version of Anyconnect Secure Mobility than ISE has installed to push to internal users for VPN. When trying to get the Anyconnect Compliance Module added on from ISE, it first wanted to update the Anyconnect Secure Mobility Client (VPN) and blocked it for some reason. I uploaded the latest Anyconnect webdeploy pkg to the ASA so that would be installed first for outside users trying to get in. (Or they could do it manually if they have access to Cisco software I suppose) Having the latest Anyconnect Secure Mobility Client then didn't require updates when VPNing in and was able to get the Compliance Module downloaded.
05-25-2018 08:43 AM
Thanks for the reply fampacisco. I ended up implementing a "workaround" where I created a 4.5 package that matched the version that had been previously deployed to Macs using Jamf so that the user didn't get nagged to upgrade. If they need the 4.6 package the users can get it from our remediation site and our deployment team will be pushing an update. I still find it odd that if the user doesn't have the posture module they can get the upgraded client stack through the provisioning portal over VPN...it just doesn't take effect until they disconnect VPN and restart AnyConnect. If they have the posture module installed they get prompted for the defer/upgrade and if they click upgrade it fails with the error. Doesn't seem consistent to me.
06-02-2018 11:31 PM - edited 06-02-2018 11:33 PM
This appears due to:
Core upgrades are not allowed when ISE is behind ASA (Same AnyConnect version must be configured on both ISE and ASA.)
Please try having the same versions of AnyConnect web/head-end deploy packages on both ASA and ISE. AnyConnect can be configured with defer update settings.
Except for ISE Compliant module, all the AnyConnect modules can be deployed from both ASA and ISE. For VPN connections, it generally gives a better user experience when most of the modules are deployed by ASA and only getting compliant module updates from ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide