Solved: Anyconnect Client Software on ASA

sqambera · ‎03-24-2021

Hello,

I have configured the ASA for Anyconnect Client VPN. If the Anyconnect Client software is manually installed on the users laptop do I still need to have it saved on the ASA under Configuration > Remote Access VPN > Network (Client) Access > Anyconnect Client Software. If yes then why?

Thanks for your time to answer this question.

Regards,

Qamber

Sheraz.Salim · ‎03-25-2021

Before you define configuration policies for the AnyConnect VPN client, you have toload the AnyConnect VPN client package in the local flash of the security appliance. Youcan verify whether it is installed by choosing Configuration> Remote Access VPN>Network (Client) Access> Advanced> SSL VPN> Client Setting. If an AnyConnectVPN client image is not installed. when the SSL/TLS request comes into asa (to the box) asa look the connection profile in order to match the configuration you need to upload the headend anyconnect software on the ASA.

this below link will help you to understand why you need it.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

please do not forget to rate.

View solution in original post

Rob Ingram · ‎03-25-2021

Hi @sqambera

Yes, you still need to upload the image to the ASA. Without an anyconnect image on the ASA all connections will fail.

HTH

Sheraz.Salim · ‎03-25-2021

Just to add what @Rob Ingram mentioned you have to make sure the version is compatiable.

I have seem many issues the client is running anyconnect version 4.8 but on the ASA the headend is configured as anyconnect 4.7. some client can connect to ASA with anyconnect 4.8 but other having issues.

so what you can do you can upload two are three anyconnect headend version 4.7 4.8 4.9

anyconnect image disk0:/anyconnect-win-4.7.02074-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.8.02074-webdeploy-k9.pkg 2

anyconnect image disk0:/anyconnect-win-4.8.02074-webdeploy-k9.pkg 3
anyconnect enable

now if the end client is running any version of anyconnect as mentioned above they will be able to connect.

please do not forget to rate.

sqambera · ‎03-25-2021

Thank you Sheraz. But why we need it on the headend if clients already have it installed. Is it like if the versions doesn't match ASA will automatically install? Thanks.

sqambera · ‎03-25-2021

Thank you Rob for replying. But what's the reason to have it on the ASA if the clients already have it?

Sheraz.Salim · ‎03-25-2021

Before you define configuration policies for the AnyConnect VPN client, you have toload the AnyConnect VPN client package in the local flash of the security appliance. Youcan verify whether it is installed by choosing Configuration> Remote Access VPN>Network (Client) Access> Advanced> SSL VPN> Client Setting. If an AnyConnectVPN client image is not installed. when the SSL/TLS request comes into asa (to the box) asa look the connection profile in order to match the configuration you need to upload the headend anyconnect software on the ASA.

this below link will help you to understand why you need it.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

please do not forget to rate.

3tluchette · ‎05-26-2022

Still don't see the answer to the question in this thread or the Configuration guide for that matter. Also, don't see the implications of changing the version installed. I know that an ASA with version 4.6.x installed will allow a client running 4.10.x to connect. So, what happens if the ASA installed version is 4.10.x and a client running 4.6.x tries to connect?