cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
394
Views
15
Helpful
4
Replies
Chess_N
Beginner

AnyConnect auto-update fails on FTD

Hi,

We're running multiple FTD devices with the same versions of FTD OS and AnyConnect. The only difference is the hardware models. (FTD 2130 and ASA 5508-X)

The local VPN XML profile is also the same for all users and contains a list of the different VPN gateways that the users can connect to.

When a user connects to one of those gateways (ASA hardware) with an older AnyConnect version, he receive the following message.

"Cannot update AnyConnect Secure Mobility Client 4.x.x because local policy is preventing a required software deployment from an unauthorized gateway. A VPN connection cannot be established."

The user confirmed that when connecting to another VPN gateway (FTD 2100 hardware) the update works.

For me it sounds like a bug when running a combination of FTD software on ASA hardware with this specific version of AnyConnect - 4.10.001075

The only bug I have found with this specific error message, is this one - CSCvw96331 but this bug is specific to Linux OS and all effected users for this case are running Windows.

Anyone else have seen this error? I'm thinking about submitting a bug report with Cisco but wanted to check if someone else have experience this problem with this version of AnyConnect running FTD on ASA hardware.

 

Thanks

/Chess 

1 ACCEPTED SOLUTION

Accepted Solutions
Milos_Jovanovic
Collaborator

Hi @Chess_N,

Based on the message user receives, I believe you are using custom AnyConnectLocalPolicy.xml policy. There you can define list of authorized VPN gateways, which are authoriyed to perform SW upgrades or profile updates on your GWs. This file is located in:

For Windows - %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\

For macOS - /opt/cisco/anyconnect/

This is not a bug, but an enhancement introduced in v4.10, where you get more security options for better control of your environment.

Try looking at this file on your PC which has issues, and you'll probably realize that one of those two GWs is missing.

BR,

Milos

View solution in original post

4 REPLIES 4
Milos_Jovanovic
Collaborator

Hi @Chess_N,

Based on the message user receives, I believe you are using custom AnyConnectLocalPolicy.xml policy. There you can define list of authorized VPN gateways, which are authoriyed to perform SW upgrades or profile updates on your GWs. This file is located in:

For Windows - %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\

For macOS - /opt/cisco/anyconnect/

This is not a bug, but an enhancement introduced in v4.10, where you get more security options for better control of your environment.

Try looking at this file on your PC which has issues, and you'll probably realize that one of those two GWs is missing.

BR,

Milos

View solution in original post

Hi @Milos_Jovanovic 

 

Thank you, this is most likely the source of the issue. I will try to get a copy of that file to verify.


So you need to manually add the gateways you want to allow to perform SW upgrades on the local AnyConnect PC? And this was changed in version 4.10? Do you know what the default behavior is if you don't customized the profile? Will it allow or deny all gateways?

 

Thanks

/Chess

 

By default, if you don't manually modify it, it will allow updates from all gateways. Once you decide to take control into your hands and customize profile, it is up to you to control behavior. This control must be done on PC level, and can't be enforced from ASA, so it needs to be handled via some tool like SCCM.

This behavior was introduced in 4.10, in order to mitigate some security vulnerbilities. You can find more details and config guide here.

BR,

Milos

Chess_N
Beginner

Hi @Milos_Jovanovic 

I can now confirm that the reason for the issue was what you suspected. I think the policy was just copied from a previous working setup and when a new VPN gateway was introduced and AnyConnect was updated, the issue occured. Thank you for the help. I will mark this as resolved. 

 

BR

/Chess