01-22-2019 11:26 AM - edited 02-21-2020 09:32 PM
Hello folks,
I have finished setting up ASA image and anyconnect profiles etc on the new VPN 2110 buildout. One thing that I can't figure out is why when for example one windows 10 client wants to use the new VPN, all they do is punch in the new IP address of the VPN server on their current anyconnect client in which the ASA recognizes they have an older version of the anyconnect client so the ASA automatically downloads and installs the anyconnect package into their computer...that's great and that's how I want it and works great.
But All of a sudden I go to test this on another win 10 computer and when they try to connect to the new VPN 2110 server, they get an error saying something like "not able to connect to the server" so I had the end user go to the new VPN webpage, download the new anyconnect package then connect just fine. I'm curious of why one computer gets the package downloaded automically while using the anyconnect app, and why one computer has to manually go to the vpn webpage and download the new anyconnect app? Is their a way to make this process not be random?
Thank you for your help
01-22-2019 11:49 PM
It should always download the upgrade automatically for clients who currently have an earlier version of AnyConnect. (Unless you have the bypass upgrade option selected in the profile on the head end.)
Did the two computers both have the same old version of Anyconnect? Are they members of the same domain with associated GPOs matching? Could User Account Control have locked down the second computer?
01-23-2019 10:44 AM
Thanks for replying Marvin. I think I figured out the issue by accident. I was playing around with the settings and I went to "SSL Settings". I had set the min ssl version for server and client to be TLS 1.2. This had worked for my laptop which connected with windows 10 and downloaded the anyconnnect package automatically, but seems to not work for most (unless they manually go to webpage and download the new anyconnect client package). So After I made the min be TLS V1 instead, I had the client connect and they connected just fine and downloaded the anyconnect client from 3.x to 4.7
I guess it seems I have to sacrifice security here... Unless you have a suggestion or work-around or something...
Thank you
01-23-2019 10:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide