02-06-2018 07:02 AM - edited 03-12-2019 05:00 AM
I'm researching an asa update from 8.4(7)30 to 9.1.7.23. Some remote users not simple to admin still have older AnyConnect versions 2.4, 2.5, and 3.1. Disregarding that 2.x support has ended, would these versions continue to work after the update or break? Would the https/SSLcertificate currently used require any change at the ASA and clients or continue working as it has been? Would current licensing continue to work without requiring modification? Primary concern right now is to not break connectivity for vpn users in distant places until they can be updated or migrated to another solution at a later time. Thanks
Cisco Adaptive Security Appliance Software Version 8.4(7)30
Device Manager Version 7.1(5)
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
Licensed features for this platform:
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 750 perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
sh run webvpn
webvpn
anyconnect-essentials
anyconnect enable
02-06-2018 07:40 AM
According to the following doc you need minimum AnyConnect 3.1.x on ASA 9.1:
https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html
, so I believe the AnyConnect versions 2.4, 2.5 will not work.
License and certificate should not be a problem, you need new licenses for AnyConnect 4.x features.
Not sure you know, AnyConnect is automatically upgraded first time you connect if you have a newer package on the ASA.
HTH
Bogdan
02-06-2018 07:45 AM - edited 02-06-2018 10:26 AM
present problem in this environment with the scenario of anyconnect clients automatically updating from the asa would be any users on the windows clients lacking local admin privileges for the installation to complete which is another subject.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide