Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4391
Views
5
Helpful
4
Replies

AnyConnect client image validation

Go to solution
krishnadig
Level 1
Level 1

‎04-06-2018 07:26 AM - edited ‎03-12-2019 05:10 AM

HI,

I have the below lines configured on my ASA version 9.7.x. Whenever a user with lower AnyConnect client version attempts to connect to this VPN, it prompts for upgrading the package.

 

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1

 

I intend to have a configuration on ASA such that it will not prompt the user to upgrade the AnyConnect package if it is minimum v4.x or v4.4.x. This will enable the users to connect to multiple VPNs using same client and without the need to upgrade it.

 

For trial, i removed the statement -

"anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1"

In this case, the users are unable to connect with message:

"The AnyConnect package on the secure gateway could not be located. You may be
experiencing network connectivity issues. Please try connecting again."

 

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to krishnadig

‎04-07-2018 03:54 AM

Hi,
Yes, I'm not sure if you can push down the AnyConnectLocalPolicy.xml file from the ASA either. Assuming your computers are joined to AD, you could configure a group policy to push the file down to the selected machines or use your mgmt software e.g SCCM.
HTH

View solution in original post

0 Helpful

Go to solution
krishnadig
Level 1
Level 1
In response to Rob Ingram

‎04-13-2018 12:44 AM

Thanks again for your input.

I got some additional information on this:

  • In the profile under “AnyConnect Profile Editor, Preferences (Part 1)” configuration have option to uncheck auto update for anyconncet client  or you can set it as user controllable which means user can override this setting in the client.
  • If the version is higher on a client machine than ASA device then client will not be prompted for any upgrade

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎04-06-2018 01:05 PM

Hi,

You will need the image on the ASA. On the comptuers you do not wish to upgrade you could disable the update client check:

 

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml

 

Modify this value:

<BypassDownloader>true</BypassDownloader>

 

HTH

0 Helpful

Go to solution
krishnadig
Level 1
Level 1
In response to Rob Ingram

‎04-06-2018 06:45 PM

Hello RJI, Thank you for your response.

Is there a way to push this setting on multiple workstations? Not sure if it its doable via ASA group policy.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to krishnadig

‎04-07-2018 03:54 AM

Hi,
Yes, I'm not sure if you can push down the AnyConnectLocalPolicy.xml file from the ASA either. Assuming your computers are joined to AD, you could configure a group policy to push the file down to the selected machines or use your mgmt software e.g SCCM.
HTH
0 Helpful

Go to solution
krishnadig
Level 1
Level 1
In response to Rob Ingram

‎04-13-2018 12:44 AM

Thanks again for your input.

I got some additional information on this:

  • In the profile under “AnyConnect Profile Editor, Preferences (Part 1)” configuration have option to uncheck auto update for anyconncet client  or you can set it as user controllable which means user can override this setting in the client.
  • If the version is higher on a client machine than ASA device then client will not be prompted for any upgrade
Customers Also Viewed These Support Documents