Re: Anyconnect client update is not successful

jds5 · ‎09-08-2021

Hello,

We want to deploy Anyconnect version 4.9.06037 instead of 4.9.01095 via an automatic "webdeploy" update.

Unfortunately the first feedback is not very good. For about fifteen clients, we already have 4 failures.

Here's what we see:
• The old version is uninstalled
• The installation of the new version fails, including any error messages you might get.
• Even with manual reinstallation, it is not successful.

• We have to go remove Windows registry keys related Anyconnect in order to revive a manual installation that this time

ends : https://community.cisco.com/t5/vpn/unable-to-install-anyconnect-client-quot-winsetup-release-web/td-p/2699218

• Problem encountered on Windows 7 and Windows 10 PCs.
• "Random" problem because it does not affect all of our users

We believe that the problem could be that the initial version of anyconnect was installed via GPO.
Unfortunately in the current context of widespread teleworking, it is difficult for us to push this update through GPO.

Thank you for your help,

BR,

Lui

Marius Gunnerud · ‎09-08-2021

If you are going to use webdeploy you need to make sure that the users have administrative privileges on the PC it is being installed on. Or at the very least have enough privileges to install software on the PC. Could you verify this?

--
Please remember to select a correct answer and rate helpful posts

jds5 · ‎09-08-2021

The workstations on which the error occurred had administrator rights.

Sheraz.Salim · ‎09-08-2021

we recently did upgrade 4.9 and later to 4.10. the upgrade process did not went accordinig to plan and at the end we have to push the 4.10 via SCCM GPO. have you consider the anyconnect Deferred Update.

Deferred Upgrade allows the AnyConnect user to delay download of a client upgrade. When a client update is available, AnyConnect opens a dialog asking the user if they would like to update, or to defer the upgrade.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_anyconnect.html

please do not forget to rate.

Marius Gunnerud · ‎09-08-2021

Could you post the output of show run webvpn

Are all PCs in your test group running the same "old" version of AnyConnect?

It is quite possible that is some GPO that is hindering the installation, but that doesnt explain why some are successful and some fail. It should be the same result for all PCs unless there are some differeneces between the PCs.

The PCs that were successful, were they all Windows 7 or Windows 10? Or were they a mix?

Were the successful PCs issued after the remote work was implemented?

If you setup new installations of windows 7 or windows 10 and then try to update those via webdeploy, are these successful or fail?

On one of the PCs that fails, if you remove the GPO setting from this PC does the installation succeed?

--
Please remember to select a correct answer and rate helpful posts

jds5 · ‎09-09-2021

Hello guys,

Thanks you for your answers

To answer at your questions:

Did you think about updating via ‘Deferred Update’ ?

I was not familiar with this feature.

would you know the difficulties or precautions to configure this feature?

-The result of the show run webvpn command:

webvpn

enable outside

anyconnect-custom-attr ManagementTunnelAllAllowed description ManagementTunnelAllAllowed

hsts

enable

max-age 31536000

include-sub-domains

no preload

http-headers

x-content-type-options

x-xss-protection

content-security-policy

anyconnect image disk0:/anyconnect-win-4.9.01095-webdeploy-k9.pkg 1

anyconnect image disk0:/anyconnect-macos-4.9.01095-webdeploy-k9.pkg 2

anyconnect image disk0:/anyconnect-linux64-4.9.01095-webdeploy-k9.pkg 3

anyconnect profiles AnyConnect_MGMT_Profile disk0:/anyconnect_mgmt_profile.vpnm

anyconnect profiles ConnectBeforeLOgon disk0:/connectbeforelogon.xml

anyconnect enable

cache

disable

- Are all PCs in your test group running the same "old" version of AnyConnect?

Yes, following the start of production of this new platform, all customers have been updated via the web.

-The PCs that were successful, were they all Windows 7 or Windows 10? Or were they a mix?

Mix of both

-Were the successful PCs issued after the remote work was implemented?

No not necessarily.

-If you setup new installations of windows 7 or windows 10 and then try to update those via webdeploy, are these successful or fail?

No because I don't have my hands on this tool, but I can get information from my colleagues who manage it

-On one of the PCs that fails, if you remove the GPO setting from this PC does the installation succeed?

Not tried

BR,

Lui

Sheraz.Salim · ‎09-09-2021

when end client connect to VPN the version of client software either Windows/Mac will automatically checked. now based on how the old software is following action will take place.

A dialog box appears asking if the end user/client want to update or want to defer it. there will be a time window for about 2 minutes once the time is passed the anyconnect software will automactially choose to defer the update and get connect.

here cisco live page 25 give you a more insight of it.

here

please do not forget to rate.

Marius Gunnerud · ‎09-09-2021

In the client profile, do you have the option to update the client selected?

--
Please remember to select a correct answer and rate helpful posts

jds5 · ‎09-13-2021

Hello,

To the question, In the client profile, do you have the option to update the client selected?

I guess this question is purely system?

Regarding the implementation of the Deferred Update, I don't see how this configuration will be able to solve the problem encountered?

As a reminder, even manual redeployment does not work.
The old version is uninstalled
The installation of the new version fails, in attachments, the error messages that one may have.
We are forced to go and delete Windows registry keys linked to Anyconnect, to be able to restart a manual installation which this time succeeds, https://community.cisco.com/t5/vpn/unable-to-install-anyconnect-client-quot-winsetup-release-web/td-p/2699218
Problem encountered on Windows 7 and Windows 10 PCs.
"Random" problem because it does not affect all of our users

BR,

Lui

Marius Gunnerud · ‎09-23-2021

I believe the issue has to do with Windows AD GPO settings. It could be that the PCs are instructed to only accept software installation from Endpoint Manager / SCCM.

Is there perhaps a GPO assigned to users with software restriction policy?

--
Please remember to select a correct answer and rate helpful posts

jds5 · ‎09-30-2021

Hello,

I come back to this subject which has not yet found a solution.

we were able to test the 'deferred update' functionality. Unfortunately, it doesn't work.

Here is what is seen after failing to install the Anyconnect client:

Registry keys for Anyconnect have been deleted by following this post:

https://community.cisco.com/t5/vpn/unable-to-install-anyconnect-client-quot-winsetup-release-web/td-p/2699218

Manual re-installation of Anyconnect client 4.9.01095

Following this, I logged into the ASA again to run the update and this time the update went through without a hitch.

Do you know why we have this behavior?

Also, would you know if it's possible to uninstall the anyconnect client and reinstall the new version(4.9.06037) without losing the connection?

Indeed, clients use anyconnect VPN to connect through the ASA. The goal is that remote access clients (VPN) can automatically download the new version of the anyconnect client

Also, I just tested the client update from msi and am having the same issues.
It is therefore possible that the problem is not related to the webdeploy but more simply to a Windows problem specific to our configuration!

Thank you in advance for your help,

BR,

Lui

jds5 · ‎09-14-2021

Hello,

Does anyone have any idea how to handle this type of issue?

jds5 · ‎09-22-2021

Hello everybody,

Does anyone have any idea about this problem which I think is recurring?

Thank you in advance for your help,

BR,

Lui