cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3874
Views
5
Helpful
4
Replies

AnyConnect client image validation

krishnadig
Level 1
Level 1

HI,

I have the below lines configured on my ASA version 9.7.x. Whenever a user with lower AnyConnect client version attempts to connect to this VPN, it prompts for upgrading the package.

 

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1

 

I intend to have a configuration on ASA such that it will not prompt the user to upgrade the AnyConnect package if it is minimum v4.x or v4.4.x. This will enable the users to connect to multiple VPNs using same client and without the need to upgrade it.

 

For trial, i removed the statement -

"anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1"

In this case, the users are unable to connect with message:

"The AnyConnect package on the secure gateway could not be located. You may be
experiencing network connectivity issues. Please try connecting again."

 

2 Accepted Solutions

Accepted Solutions

Hi,
Yes, I'm not sure if you can push down the AnyConnectLocalPolicy.xml file from the ASA either. Assuming your computers are joined to AD, you could configure a group policy to push the file down to the selected machines or use your mgmt software e.g SCCM.
HTH

View solution in original post

Thanks again for your input.

I got some additional information on this:

  • In the profile under ā€œAnyConnect Profile Editor, Preferences (Part 1)ā€ configuration have option to uncheck auto update for anyconncet client  or you can set it as user controllable which means user can override this setting in the client.
  • If the version is higher on a client machine than ASA device then client will not be prompted for any upgrade

View solution in original post

4 Replies 4

Hi,

You will need the image on the ASA. On the comptuers you do not wish to upgrade you could disable the update client check:

 

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

 

Modify this value:

<BypassDownloader>true</BypassDownloader>

 

HTH

Hello RJI, Thank you for your response.

Is there a way to push this setting on multiple workstations? Not sure if it its doable via ASA group policy.

Hi,
Yes, I'm not sure if you can push down the AnyConnectLocalPolicy.xml file from the ASA either. Assuming your computers are joined to AD, you could configure a group policy to push the file down to the selected machines or use your mgmt software e.g SCCM.
HTH

Thanks again for your input.

I got some additional information on this:

  • In the profile under ā€œAnyConnect Profile Editor, Preferences (Part 1)ā€ configuration have option to uncheck auto update for anyconncet client  or you can set it as user controllable which means user can override this setting in the client.
  • If the version is higher on a client machine than ASA device then client will not be prompted for any upgrade
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: