Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1927
Views
20
Helpful
4
Replies

Anyconnect packages and profiles installation on ASA and ISE (for posture)

xbill42
Level 1
Level 1

‎05-05-2020 03:55 AM

Hi,

 

I have configured ASA VPN with anyconnect and posture with ISE.
The anyconnect client and config will be preinstall on PC (no self download or install with msi)

 

I am confused with the different package and profiles that must be upload on ISE and ASA (redundant ?)

 

I have configured the client provisionning on ISE, and I have uploaded the Anyconnect pkg, the compliance module, the Anyconnect profile and ISEposture profile.

 

Do I also need to put all that same files into the ASA disk ?
I have the Anyconnect pkg on the ASA (under Anyconnect Client software in asdm) and the Anyconnect profile (under Anyconnect client profile in asdm)
Should I add ISE posture and compliance module ?

 

In case of an upgrade of Anyconnect and compliance module : Do I need to upload the files in ISE client provisioning and ASA ?
 Are the files downloaded from ASA or ISE during update of the client ?

 

Best regards

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎05-05-2020 04:07 AM

Hi,
Regardless on whether AnyConnect is being deployed manually or via your management tools (e.g. SCCM), in order to establish a VPN on the ASA the AnyConnect package for each operating system (Windows, MacOS or Linux) that connects to the ASA must be uploaded to the ASA.

If you upgrade the anyconnect packages via your management tools or manually, you don't need to replace the package on the ASA/ISE. The client can sucessfully establish a VPN to the ASA using a newer version of AnyConnect that is uploaded to the ASA.

HTH
0 Helpful

xbill42
Level 1
Level 1
In response to Rob Ingram

‎05-05-2020 05:27 AM

Hi,

 

So only the anyconnect package is mandatory in the ASA disk. No need to upload the compliance module and the xml profiles (already uploaded in ISE) ?

 

If I want to upgrade anyconnect, do I only need to update the client provisioning on ISE (keep the existing anyconnect on ASA) ?

 

Its still not clear if I need to have every packages on ASA and also on ISE with the exact same version and with both xml profiles. And how do I proceed to upgrade (upload new packages on ASA and on ISE). Which one has the last word ?

note : only the first install will be done with management tools.

 

Best regards

0 Helpful

Rob Ingram
VIP
VIP
In response to xbill42

‎05-06-2020 06:04 AM

On the ASA you have the option to deploy/update AnyConnect VPN module and the ISE Posture, but there is no option to deploy/update the ISE Compliance Module.

 

image.png

 

Upon inital connection to the VPN if the ASA has a newer AnyConnect package the client will auto-update AnyConnect from the ASA - this is before the ISE Posture agent has communicated to ISE. Once upgraded and the VPN is established, the AnyConnect ISE posture agent will then contact ISE and if ISE has a newer AnyConnect package (VPN, ISE Posture etc) OR the ISE Compliance Module it will update. ASA has the first word but ISE has the last word.

 

On that basis, if you want to upgrade all components, ISE can do this but the ASA cannot.

 

Bear in mind if you are also pushing out the VPN Profile XML from both ASA and ISE, it is going to download from both the ASA and then the ISE. So if you plan to update the anyconnect modules from ISE consider only deploying the VPN XML profile from ISE and not via the ASA (or keep them both up to date).

 

HTH

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎05-06-2020 06:39 AM

I have a similar setup in my environment. I agree that you must have the AC package on the ASA. As far as the additional modules & profiles I rely on SCCM and/or ISE client provisioning portal policies (CPP). A few things to note from my experience working with TAC are:
-ISE will push down a vpndownloader.exe to this path: C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Temp\Downloader (per TAC you cannot change this there is a feature request submitted). The issue I ran into was proper permissions and issues with local applocker/McAfee AV.
-Even after fixing the local host issues with other software I had issues with ISE CPP deploying the upgrade package and then running it locally. As I troubleshot further I stumbled upon this in event viewer on windows host:
AnyConnect Downloader cannot perform required updates while the VPN tunnel is established.
Required updates cannot be performed while the VPN tunnel is established.
ISE Posture update check error occurred "Automatic software updates are required but cannot be performed while the VPN tunnel is established. Contact your system administrator.
This is an issue if the user is always remote so for my case we rely on SCCM to upgrade those individual cases.
-I can tell you that you can rely on ISE CPP to push your profiles and that works as expected.
-You DO have the ability to upgrade the compliance module using ISE CPP while the VPN session IS established. No issues here.
I hope this helps you with your journey. Good luck!
Customers Also Viewed These Support Documents