08-18-2021 01:07 AM
Hi,
We're running multiple FTD devices with the same versions of FTD OS and AnyConnect. The only difference is the hardware models. (FTD 2130 and ASA 5508-X)
The local VPN XML profile is also the same for all users and contains a list of the different VPN gateways that the users can connect to.
When a user connects to one of those gateways (ASA hardware) with an older AnyConnect version, he receive the following message.
"Cannot update AnyConnect Secure Mobility Client 4.x.x because local policy is preventing a required software deployment from an unauthorized gateway. A VPN connection cannot be established."
The user confirmed that when connecting to another VPN gateway (FTD 2100 hardware) the update works.
For me it sounds like a bug when running a combination of FTD software on ASA hardware with this specific version of AnyConnect - 4.10.001075
The only bug I have found with this specific error message, is this one - CSCvw96331 but this bug is specific to Linux OS and all effected users for this case are running Windows.
Anyone else have seen this error? I'm thinking about submitting a bug report with Cisco but wanted to check if someone else have experience this problem with this version of AnyConnect running FTD on ASA hardware.
Thanks
/Chess
Solved! Go to Solution.
08-19-2021 02:50 AM
Hi @Chess_N,
Based on the message user receives, I believe you are using custom AnyConnectLocalPolicy.xml policy. There you can define list of authorized VPN gateways, which are authoriyed to perform SW upgrades or profile updates on your GWs. This file is located in:
For Windows - %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\
For macOS - /opt/cisco/anyconnect/
This is not a bug, but an enhancement introduced in v4.10, where you get more security options for better control of your environment.
Try looking at this file on your PC which has issues, and you'll probably realize that one of those two GWs is missing.
BR,
Milos
08-19-2021 02:50 AM
Hi @Chess_N,
Based on the message user receives, I believe you are using custom AnyConnectLocalPolicy.xml policy. There you can define list of authorized VPN gateways, which are authoriyed to perform SW upgrades or profile updates on your GWs. This file is located in:
For Windows - %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\
For macOS - /opt/cisco/anyconnect/
This is not a bug, but an enhancement introduced in v4.10, where you get more security options for better control of your environment.
Try looking at this file on your PC which has issues, and you'll probably realize that one of those two GWs is missing.
BR,
Milos
08-19-2021 04:49 AM - edited 08-19-2021 05:03 AM
Thank you, this is most likely the source of the issue. I will try to get a copy of that file to verify.
So you need to manually add the gateways you want to allow to perform SW upgrades on the local AnyConnect PC? And this was changed in version 4.10? Do you know what the default behavior is if you don't customized the profile? Will it allow or deny all gateways?
Thanks
/Chess
08-19-2021 11:54 AM
By default, if you don't manually modify it, it will allow updates from all gateways. Once you decide to take control into your hands and customize profile, it is up to you to control behavior. This control must be done on PC level, and can't be enforced from ASA, so it needs to be handled via some tool like SCCM.
This behavior was introduced in 4.10, in order to mitigate some security vulnerbilities. You can find more details and config guide here.
BR,
Milos
08-20-2021 12:27 AM
I can now confirm that the reason for the issue was what you suspected. I think the policy was just copied from a previous working setup and when a new VPN gateway was introduced and AnyConnect was updated, the issue occured. Thank you for the help. I will mark this as resolved.
BR
/Chess
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide