Posture installation impossible vpn tunnel is established

Akim24836987 · ‎11-03-2017

We have:

ISE: 2.3.0.298

ASA5555 ver 9.7(1)

Anyconnect ver 4.4.0154 VPN module installed only

PC Windows 7

Problem:
-          Client establishes VPN connection to ASA
-          Client opens web page that matches “redirect” ACL on ASA
-          ASA redirects client to ISE provisioning portal listening on tcp/8443
-          Client clicks on download link
-          File anyconnect-ise-nsa-win-4.5.01044_posture.exe is downloaded

- The utility warns about the pumping of the package anyconnect

- Then it checks the downloaded update

- Next, I understand it is an attempt to install, after which the message appears:

"Automatic software updates are required but cannot be performed while the VPN tunnel is established. Contact your system administrator"

- And further goes the complete rollback of the installation

The question is how to force the NSA to break the connection before trying to install it, or is there another solution?

steveklein · ‎05-09-2018

Did you ever figure out a solution to this? We recently created a 4.6 package in ISE for Macs and even if I set the minimum required version in ISE to 0.0.0 it still prompts the user to update or defer. If you click update it immediately gives the message "automatic software updates are required but cannot be performed while the vpn tunnel is established" and then posture has a red X over it and are in the posture unknown state. If you click defer a couple of times then you get connected.

fmpacisco · ‎05-25-2018

I had the same issue with a similar set up. The outside user (and me as a test outside) had a older version of Anyconnect Secure Mobility than ISE has installed to push to internal users for VPN. When trying to get the Anyconnect Compliance Module added on from ISE, it first wanted to update the Anyconnect Secure Mobility Client (VPN) and blocked it for some reason. I uploaded the latest Anyconnect webdeploy pkg to the ASA so that would be installed first for outside users trying to get in. (Or they could do it manually if they have access to Cisco software I suppose) Having the latest Anyconnect Secure Mobility Client then didn't require updates when VPNing in and was able to get the Compliance Module downloaded.

steveklein · ‎05-25-2018

Thanks for the reply fampacisco. I ended up implementing a "workaround" where I created a 4.5 package that matched the version that had been previously deployed to Macs using Jamf so that the user didn't get nagged to upgrade. If they need the 4.6 package the users can get it from our remediation site and our deployment team will be pushing an update. I still find it odd that if the user doesn't have the posture module they can get the upgraded client stack through the provisioning portal over VPN...it just doesn't take effect until they disconnect VPN and restart AnyConnect. If they have the posture module installed they get prompted for the defer/upgrade and if they click upgrade it fails with the error. Doesn't seem consistent to me.

hslai · ‎06-02-2018

This appears due to:

Core upgrades are not allowed when ISE is behind ASA (Same AnyConnect version must be configured on both ISE and ASA.)

Please try having the same versions of AnyConnect web/head-end deploy packages on both ASA and ISE. AnyConnect can be configured with defer update settings.

Except for ISE Compliant module, all the AnyConnect modules can be deployed from both ASA and ISE. For VPN connections, it generally gives a better user experience when most of the modules are deployed by ASA and only getting compliant module updates from ISE.