10-06-2014 04:41 AM - edited 02-21-2020 07:51 PM
Hello,
I see strange behaviour on an ASA5525-X running 9.1.5-12 and AnyConnect running 3.1.05182.
Whenever I edit the connection profile, it is only ever updates the local XML file when logging in via the web portal of the ASA.
Nothing happens to the XML file when logging in with the AnyConnect client (twice).
Is that default behaviour or am I missing a setting somewhere?
Kind regards,
Jens
Solved! Go to Solution.
10-07-2014 04:46 AM
It could be a malformed profile or corrupted client. A close look at your setup might help but it might also require examination of a diagnostic dump (DART file from AnyConnect).
I've used the same ASA and AnyConnect versions as you're using and it worked OK.
If you have support I'd suggest opening a TAC case.
10-07-2014 07:47 AM
I don't use the web portal but I have seen something similar with the client when I simply uploaded a new xml to the ASA and replaced the existing file. I figured if I replaced the xml file with a new one with the same name, I should be good, right? Nope. I had to go into the gui, delete the profile entry (keep the xml), and then add a new entry again with the same name and point to the new xml.
10-06-2014 10:05 AM
As long as you have enabled client services in the connection profile, profile updates on the ASA should be pushed to the client upon next login via AnyConnect.
10-06-2014 11:03 AM
I can't find client services in the profile editor or the xml, so I'm not sure what you mean.
10-06-2014 12:59 PM
Sorry for the confusion - that keyword is only used on an IPsec IKEv2 remote access VPN.
For an SSL VPN, it should be controlled by the presence of the xml file under the webvpn configuration section.
When an AnyConnect client connects, the ASA should be comparing its version of the profile to the one stored locally on the client. If the ASA's is newer, it should automatically update the client.
10-06-2014 11:11 PM
I get that, but why is the local XML only updated when connecting via the web portal?
Shouldn't it be the same when connecting with the AnyConnect app?
10-07-2014 04:34 AM
Yes, it should update when connecting directly using the AnyConnect Secure Mobility client VPN module. I've used several dozen ASA-based SSL VPNs and all the ones with ASA-based profiles worked that way.
10-07-2014 04:36 AM
Which leads me back to my initial question about what could cause this behaviour.
10-07-2014 04:46 AM
It could be a malformed profile or corrupted client. A close look at your setup might help but it might also require examination of a diagnostic dump (DART file from AnyConnect).
I've used the same ASA and AnyConnect versions as you're using and it worked OK.
If you have support I'd suggest opening a TAC case.
10-08-2014 01:20 AM
The profile had been changed in the unsupported fashion where an admin had just downloaded the file and uploaded again after making changes.
The profile now works as expected when only doing changes in ASDM - after recreating the reference.
Thanks again!
10-07-2014 07:47 AM
I don't use the web portal but I have seen something similar with the client when I simply uploaded a new xml to the ASA and replaced the existing file. I figured if I replaced the xml file with a new one with the same name, I should be good, right? Nope. I had to go into the gui, delete the profile entry (keep the xml), and then add a new entry again with the same name and point to the new xml.
01-24-2018 04:10 PM
Thank you, bravotom. That was the fix for me.
conf t
no anyconnect profiles PROFILE-NAME disk0:/PROFILE.xml
anyconnect profiles PROFILE-NAME disk0:/PROFILE.xml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide