Updating AnyConnect/Secure Client with ASA - Not Working

is.infrastructure1 · ‎06-23-2024

I am trying to update AnyConnect to Cisco Secure Client with the ASA.

Whenever I put a AnyConnect/Secure Client on the ASA that is newer than the one currently installed on the end devices, the Client fails to connect - 'The VPN Client failed to establish a connection'

I have looked in the logs but the behaviour seems quite normal.

I have attached a copy of the Client Profile, and the ASA config. - I added the client profile as word doc as there was an error when i added as txt file.

Is there any config missing? Have I got something wrong?

Many thanks

Marvin Rhoads · ‎06-24-2024

Your client profile has IPsec as the primary protocol. Is that enabled in the ASA with a "crypto ikev2 enable outside" or similar command?

Also, if you are trying to update from the ASA, you need to turn on SSL/TLS and enable client services to allow the update to happen. You cannot update clients' software if only IPsec is enabled.

https://community.cisco.com/t5/security-knowledge-base/configuring-ipsec-ikev2-remote-access-vpn-with-cisco-secure/ta-p/4485165

is.infrastructure1 · ‎06-25-2024

Hi Marvin,

Thanks for your reply

Just to confirm - Is it this that needs to be enabled on the Tunnel Group?

I guess this is linked to the group policy, so I could tick this here?

Many thanks

is.infrastructure1 · ‎06-27-2024

Hi @Marvin Rhoads

Is this what you mean?

The connection to the VPN fails whenever I add an image that is newer than the one we have on the end device

Thanks

Marvin Rhoads · ‎06-27-2024

@is.infrastructure1 correct. If there is a newer client pending on the ASA, it will try to update but without client services (which require SSL/TLS) the update will fail and prevent the connection.

MHM Cisco World · ‎06-25-2024

3DES/AES encryption license need to activate I guess
MHM