Solved: ASA VPN packages

keithcclark71 · ‎06-19-2022

I found these packages on older ASA's that I am trying to replace. I am not sure which packages are even being used by remote users. Do you think someone just added these packages to just cover all possibilities or they actually using these still to this day?

I plan to just direct any vpn users to new packages I add and am not even sure if current cisco mobility client has linux and whatever arm package is. I am hoping i can direct users to web url and thye can update there onw clients.

205 -rwx 2857568 04:04:14 Aug 17 2010 anyconnect-wince-ARMv4I-2.4.1012-k9.pkg
206 -rwx 3203909 04:04:16 Aug 17 2010 anyconnect-win-2.4.1012-k9.pkg
207 -rwx 4832344 04:04:18 Aug 17 2010 anyconnect-macosx-i386-2.4.1012-k9.pkg
208 -rwx 5209423 04:04:18 Aug 17 2010 anyconnect-linux-2.4.1012-k9.pkg

Sheraz.Salim · ‎06-19-2022

These anyconnect software the one you showed are also know as headend anyconnect packages/softwares. anyconnect version.2.4 is very old and gone EOL (end of life) Here however, if you still plan to use them in your network you can but it would be good to move to version anyconnect 4.10.

Most probably someone added these headend software of anyconnect to your ASA. if you plan to upgrade them there are few option for you.

1. you can upgrade your client as you mentioned via web url. bear in mind cisco release a vulnerability for the webvpn Here

2. in order to upgrade your client you will need anyconnect headend images in that case you need a cisco software contract in place.

3.once you uploaded your headend anyconnect version 10. you can change the order of anyconnect in your asa.

what I mean is

show webvpn anyconnect
!
webvpn
port 443
enable Outside
dtls port 443
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.6.02074-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.9.05042-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-macos-4.10.02086-webdeploy-k9.pkg 4

4. you can also considering the Enable AnyConnect Client Deferred Upgrade Deferred Upgrade allows the AnyConnect user to delay download of a client upgrade. When a client update is available

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎06-20-2022

Using AnyConnect with FTD requires version 4.0 or later of AnyConnect, and version 6.2.1 or later of the FMC.

you need to bring them in manually the vpn anyconnec headends.

in regards to anyconnect configuration the FMT does not support this migration. only migration for vpn are VTI, site-to-site PSK and Cert Based.

I think the new release of FMT 2.6 is plan to release in june. This is what I was told so no idea if 2.6 will support the anyconnect configuration migration.

please do not forget to rate.

View solution in original post

Kasun Bandara · ‎06-19-2022

version 2.4 is very old now. you can use 4.X series. such as 4.9 or 4.10. users will prompt to upgrade anyconnect in there computer once you upgrade it from ASA side. you can upload new packages and map them in anyconnect settings to use new packages.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Marvin Rhoads · ‎06-19-2022

When you have configured a client-based (AnyConnect) remote access VPN, the ASA (or FTD) requires that you specify at least one AnyConnect package. Any valid one will allow setup of the VPN. If the client already has a version equal to or greater than the one specified on the headend it will work as-is when they connect.

Generally we include and specify the current AnyConnect package (or packages for multiple OSes). Clients connecting will then either upgrade (if an older package exists on the client) or install fresh upon first connect.

So just include the current AnyConnect packages (version 4.10.05111 as of this posting). You can then safely remove the old files from disk and any reference to them in the config.

keithcclark71 · ‎06-20-2022

I assume then if I run the firewall migration tool that it would not bring over the any connect packaged remote user VPN settings off the ASA to the FTD and I would need to manually create within the FMC, add packages etc

Sheraz.Salim · ‎06-20-2022

Using AnyConnect with FTD requires version 4.0 or later of AnyConnect, and version 6.2.1 or later of the FMC.

you need to bring them in manually the vpn anyconnec headends.

in regards to anyconnect configuration the FMT does not support this migration. only migration for vpn are VTI, site-to-site PSK and Cert Based.

I think the new release of FMT 2.6 is plan to release in june. This is what I was told so no idea if 2.6 will support the anyconnect configuration migration.

please do not forget to rate.

Sheraz.Salim · ‎06-19-2022

These anyconnect software the one you showed are also know as headend anyconnect packages/softwares. anyconnect version.2.4 is very old and gone EOL (end of life) Here however, if you still plan to use them in your network you can but it would be good to move to version anyconnect 4.10.

Most probably someone added these headend software of anyconnect to your ASA. if you plan to upgrade them there are few option for you.

1. you can upgrade your client as you mentioned via web url. bear in mind cisco release a vulnerability for the webvpn Here

2. in order to upgrade your client you will need anyconnect headend images in that case you need a cisco software contract in place.

3.once you uploaded your headend anyconnect version 10. you can change the order of anyconnect in your asa.

what I mean is

show webvpn anyconnect
!
webvpn
port 443
enable Outside
dtls port 443
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-linux64-4.6.02074-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.9.05042-webdeploy-k9.pkg 3
anyconnect image disk0:/anyconnect-macos-4.10.02086-webdeploy-k9.pkg 4

4. you can also considering the Enable AnyConnect Client Deferred Upgrade Deferred Upgrade allows the AnyConnect user to delay download of a client upgrade. When a client update is available

please do not forget to rate.

keithcclark71 · ‎06-20-2022

Thanks again Sheraz!!!