Solved: AnyConnect 4.10 upgrade to Secure Client 5.x

tachyon05 · ‎11-06-2023

I need to upgrade AnyConnect 4.10 because it is EOS on 3/31/24. The replacement product is Secure Client 5.x. Currently, users only have DART and NAM installed on their computers.

1. Do I need to uninstall AnyConnect 4.10 or is that automatically done when running the Secure Client installer?
2. We have a configuration.xml file that contains profiles and settings for existing wired and wireless networks. Will the new Secure Client use the same XML file?

Marvin Rhoads · ‎11-07-2023

No uninstall is necessary when upgrading from AnyConnect 4.x to Secure Client 5.x

Your configuration files will be copied into the new folders specific to Secure Client 5. (Created automatically in the C:\ProgramData\Cisco\Cisco Secure Client folder in Windows).

View solution in original post

Marvin Rhoads · ‎11-07-2023

No uninstall is necessary when upgrading from AnyConnect 4.x to Secure Client 5.x

Your configuration files will be copied into the new folders specific to Secure Client 5. (Created automatically in the C:\ProgramData\Cisco\Cisco Secure Client folder in Windows).

tachyon05 · ‎11-07-2023

Sounds like it is not a problem to have both the new and old clients. Will Windows OS prefer and use only the new Secure 5.x over the old AnyConnect 4.x for 802.1x?

Marvin Rhoads · ‎11-07-2023

When you install Secure Client 5.x it will replace AnyConnect 4.x. The product name and folders used change but it is still just like an in-place upgrade in other respects.

tracyc · ‎06-11-2024

Hi Marvin, I am looking to auto update from 4.10.07073 Anyconnect to Secure Client - can this be done please? We have around 250 users I believe on our OUH NHS site.

Marvin Rhoads · ‎06-11-2024

@tracyc it is as noted by @tahscolony - just update the files on the ASA or FTD headend and point the webvpn configuration at them. If you have ASA, be sure to copy the new files onto both the Active and Standby appliance. FDM- or FMC-managed FTD will take care of syncing them for you automatically.

tachyon05 · ‎11-08-2023

Thank you. My TAC person said the following for some reason. I will try to get a test laptop and try it out.

[+] Cisco Secure Client will not get rid of the previous installations of AnyConnect, you will need to uninstall first then install Secure Client.

[+] You will need to migrate configuration of the profile to a 5.x version with the help of the profile editor. Here is the download link: https://software.cisco.com/download/home/286330811/type/282364313/release/5.0.05040

Marvin Rhoads · ‎11-08-2023

What the TAC told you doesn't match my experience. I have moved over a dozen customer organizations (with several thousand end users) and my own company's 100+ users to Secure Client 5 and none of them ever had to uninstall anything or migrate any configuration using the profile editor.

tachyon05 · ‎11-08-2023

Thanks, and your experience is what I would expect, and hope Cisco provides to their customers. Looking at the download site, I see the only 5.1 version out there is 5.1.0.136 which came out 2 weeks ago on 10/27/23. There are several 5.0 versions with the latest being 5.0.05040 which released on 9/5/23. There is no "safe harbor" or "star" version. Would you be able to share which version you went with on your most recent upgrade and if there are any issues encountered?

Marvin Rhoads · ‎11-09-2023

On my personal laptop I have upgraded just about about every version and maintenance release since 3.x, including the latest 5.1. As of right now, 5.0 MR 5 (5.0.05040) would be the best choice for most customers. 5.1 is intended primarily to add the Zero Trust module with Duo desktop for Cisco + Secure Access customers.

Cisco doesn't publish a "Suggested Release" (Gold Star) for Secure Client, but they generally recommend the latest maintenance release in the most current version.

tahscolony · ‎03-20-2024

Hi Marvin. We run Anyconnect 4.10.08025 on a 5555-X using two different profiles, one for split tunnel and one full tunnel. We also use Windows, Mac and Linux clients. Reading the download for the clients, the MACs require Admin access to install. Also I found to use umbrella roaming a module needs to be installed from the ASA.

So two questions, are there any configuration changes required on the ASA in order to use the latest SC5? We also upgrade via the ASA, so how will that impact the MAC users?

j.a.m.e.s · ‎04-16-2024

There are certain minimum ASA version requirements and flash memory requirements, but I don't think any configuration changes are generally required when going from v4.10 to v5.X.

You mentioned using web-deploy, so the equivalent to this config needs to be updated:

webvpn
  anyconnect image disk0:/anyconnect-xxxxx.pkg 1 regex "Windows NT"

tahscolony · ‎06-11-2024

The documentation is misleading in many ways. If you already have an established VPN using Anyconnect, the simplest method to go to Secure Connect is to just replace the current image on the ASA using Web Deploy. The only issues we ran into were layer 8 where someone put a shortcut for the client on his desktop, not realizing that Anyconnect runs at startup and is already present. Another one required a reboot, but the vast majority didn't even know they were upgraded.

j.a.m.e.s · ‎06-11-2024

Doesn't web-deploy require admin rights on the client? We leave the web-deploy in our config but ultimately deploy an upgrade via SCCM. As @Marvin Rhoads implied earlier, the installer seems to take care of migrating smoothly from old versions. It goes without saying that you have to be careful and roll it out slowly.

One thing to be aware about in a v4.10 to v5 migration is the folder naming for the Anyconnect profiles:

%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile <- Old Path

%ALLUSERSPROFILE%\Cisco\Cisco Secure Client\VPN\Profile\ <- New Path

%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script <- Old Path

%ALLUSERSPROFILE%\Cisco\Cisco Secure Client\VPN\Script <- New Path

Marvin Rhoads · ‎06-11-2024

@j.a.m.e.s,

"

Web Deploy

To upgrade Cisco Secure Client or install additional modules using web deploy (from ASA/ISE/Secure Firewall Threat Defense with Downloader), you do not need administrative privileges.

Due to a new Apple API change, when using webdeploy to upgrade from macOS Cisco Secure Client 5.0.x (or earlier) to 5.1.x (or later), you must have administrator privileges or manage the macOS devices via MDM to pre-approve the application extension. This restriction does not apply to Windows or Linux.
<snip>

Predeploy

To upgrade Cisco Secure Client or install additional modules using predeploy (out-of-band deployment, either manually or using SCCM and so on), you need administrative privileges.

"

Reference: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/admin/guide/b-cisco-secure-client-admin-guide-5-1/deploy-anyconnect.html#ID-1425-00000005