05-05-2020 03:55 AM
Hi,
I have configured ASA VPN with anyconnect and posture with ISE.
The anyconnect client and config will be preinstall on PC (no self download or install with msi)
I am confused with the different package and profiles that must be upload on ISE and ASA (redundant ?)
I have configured the client provisionning on ISE, and I have uploaded the Anyconnect pkg, the compliance module, the Anyconnect profile and ISEposture profile.
Do I also need to put all that same files into the ASA disk ?
I have the Anyconnect pkg on the ASA (under Anyconnect Client software in asdm) and the Anyconnect profile (under Anyconnect client profile in asdm)
Should I add ISE posture and compliance module ?
In case of an upgrade of Anyconnect and compliance module : Do I need to upload the files in ISE client provisioning and ASA ?
Are the files downloaded from ASA or ISE during update of the client ?
Best regards
05-05-2020 04:07 AM
05-05-2020 05:27 AM
Hi,
So only the anyconnect package is mandatory in the ASA disk. No need to upload the compliance module and the xml profiles (already uploaded in ISE) ?
If I want to upgrade anyconnect, do I only need to update the client provisioning on ISE (keep the existing anyconnect on ASA) ?
Its still not clear if I need to have every packages on ASA and also on ISE with the exact same version and with both xml profiles. And how do I proceed to upgrade (upload new packages on ASA and on ISE). Which one has the last word ?
note : only the first install will be done with management tools.
Best regards
05-06-2020 06:04 AM
On the ASA you have the option to deploy/update AnyConnect VPN module and the ISE Posture, but there is no option to deploy/update the ISE Compliance Module.
Upon inital connection to the VPN if the ASA has a newer AnyConnect package the client will auto-update AnyConnect from the ASA - this is before the ISE Posture agent has communicated to ISE. Once upgraded and the VPN is established, the AnyConnect ISE posture agent will then contact ISE and if ISE has a newer AnyConnect package (VPN, ISE Posture etc) OR the ISE Compliance Module it will update. ASA has the first word but ISE has the last word.
On that basis, if you want to upgrade all components, ISE can do this but the ASA cannot.
Bear in mind if you are also pushing out the VPN Profile XML from both ASA and ISE, it is going to download from both the ASA and then the ISE. So if you plan to update the anyconnect modules from ISE consider only deploying the VPN XML profile from ISE and not via the ASA (or keep them both up to date).
HTH
05-06-2020 06:39 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide