Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2900
Views
0
Helpful
6
Replies

AnyConnect Client Profile Question

Go to solution
KYLE MCLERREN
Level 1
Level 1

‎02-11-2017 08:57 AM - edited ‎02-21-2020 09:09 PM

Hi All, 

I am wondering a couple of specific things around AnyConnect client profiles. Current setup is: ASA 5545-X, 9.2(4)18, AnyConnect 4.4.00243. So, all very new. I would like to know specifically:

1) When does the AnyConnect client download a new profile XML? For example -- is it when the xml file on the ASA is newer than the one on the clients file system? Does it look at file modification time? Or is it simply downloaded every time the client connects? 

I ask this because we have one profile: company.xml, and when I edited the <HostAddress> portion of the xml WITHOUT changing the associated <HostName>, it did not seem to register a change and download the new xml file. We have a situation where we are changing DNS, so i modified the HostAddress portion, but the alias (HostName) stays the same. This should have updated the IP thats associated with the HostName, but the clients did not seem to update their xml file.

2) This may have been asked, but outside of using a GPO of some kind -- is there simply a way to tell the ASA to delete all client profiles a single time, and re-download the profile? there's been some cruft build up over time and a fresh wipe of profiles would be nice. 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-11-2017 11:46 AM

To answer your questions:

1) The ASA compares the hash of the profile on the ASA vs the one on the client machine. If they are different during connection time, the ASA replaces the old profile with the new. For your issue, you have to check if the user is falling into the right group-policy where the ASA profile is applied. Also, the profile changes take effect during the next connection only.

2) Nope. The ASA does not delete the profile in any way. You would have to manually delete it or use GPO. Even uninstalling the client does not delete the profile.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-11-2017 11:46 AM

To answer your questions:

1) The ASA compares the hash of the profile on the ASA vs the one on the client machine. If they are different during connection time, the ASA replaces the old profile with the new. For your issue, you have to check if the user is falling into the right group-policy where the ASA profile is applied. Also, the profile changes take effect during the next connection only.

2) Nope. The ASA does not delete the profile in any way. You would have to manually delete it or use GPO. Even uninstalling the client does not delete the profile.

0 Helpful

Go to solution
KYLE MCLERREN
Level 1
Level 1
In response to Rahul Govindan

‎02-12-2017 07:26 AM

Thank you.

To address question 1, that's odd then and I wonder if i have a bug on my hands. I will have to double check the behavior, but there was only one group policy in this case, and i do recall i connected, then disconnected, and connected again. I'll poke at it and if its still not updating, i'll open a tac case.

Thanks for your replies.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to KYLE MCLERREN

‎02-12-2017 03:34 PM

A few things you can check:

1) Once connected, run the "show vpn-sessiondb anyconnect" on the ASA to see if the group-policy assigned is correct.

2) During connection, if the ASA profile has been changed, you should see a brief message showing "Downloading XML profile".

3) The ASDM sometimes have problems where the it does not update the profile even once you apply it. Check that again to make sure.

0 Helpful

Go to solution
KYLE MCLERREN
Level 1
Level 1
In response to Rahul Govindan

‎02-13-2017 05:27 AM

Thanks so much! I will take a look and let you know what I find.

0 Helpful

Go to solution
KYLE MCLERREN
Level 1
Level 1
In response to Rahul Govindan

‎02-14-2017 06:33 AM

To follow up on this -- here's what I found was happening:

We are migrating from an old pair of ASA's which serviced our client VPN, to this new pair. When we connect to the new ASA's, the profile (company.xml) is the same on the new as it is on the old, with the one exception of the FQDN being updated on the new ASA.

It seems like the anyconnect client specifically caches the the old entry as the last used server, no matter what is in the xml itself. Clients would then connect to the old ASA's instead of the new one, since it was the last used server, then download the old xml and replace the new one, and so on.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to KYLE MCLERREN

‎02-16-2017 03:24 AM

The ASA does cache last used entries like username, server name etc under the "preferences.xml" in the location C:\Users\<Username>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client. You may have to delete that after a successful profile update to have it connect to the new.

Why not change the profile on the old ASA also to point to the new one?

0 Helpful
Customers Also Viewed These Support Documents