Showing results for 
Search instead for 
Did you mean: 

AnyConnect Upgrade Question

Hello - Sorry for the vague question, I'm kinda out of my element here.   I work for our desktop team and manage our SCCM environment.  We are looking to upgrade our AnyConnect client version in the near future.  The team that manages AnyConnect and ISE is a separate team.  They recently went through some turnover and I'm not super confident in the current admins over there.  They are saying that the AnyConnect client can't be updated from the ASA or ISE.  My reading of the admin guide contradicts that.  So knowing that it is possible to do it from ISE or ASA, what is the best way to handle upgrades, SCCM or ASA/ISE?  




RJI Advisor

Re: AnyConnect Upgrade Question

You are correct, AnyConnect can be upgraded from ASA or ISE. The quickest and easiest place is uploading to the ASA, the clients would download the upgrade next time they connect to the VPN. Beware in the AnyConnect profile there is an option to disable downloads of updates (from ASA), this is not enabled as default however.

Some companies I've worked with do however prefer to centrally deploy desktop applications centrally via SCCM. I guess it's down to internal politics which is the best place to upgrade the client.

Hall of Fame Guru

Re: AnyConnect Upgrade Question

@RJI is correct - AnyConnect can be upgraded from ASA or ISE in addition to any other software deployment tools you may use.

SCCM etc. are useful for organizations that have a well-established operational model of deploying software that way.

ISE is useful if you have multiple disparate ASA installations all of which use ISE as a backend for Posture assessment, RADIUS server etc. In that case we can deploy a single image and set of profiles (associated xml files) from one place. The AnyConnect images need to match what's on the ASAs though.

ASA is useful in that it is well-understood by most ASA admins anyway) and a long-established procedure. It happens automatically at next logon without the end user having to be an admin for their PC. I'd say this is by far the most common deployment and upgrade model.


VIP Rising star

Re: AnyConnect Upgrade Question

I agree with @RJI & @Marvin Rhoads .  This definitely comes down to internal decisions.  In my environment we work with several Anyconnect components including VPN, NAM, Posture, & SBL.  When we perform upgrades we usually rely on packaging things up and deploying via SCCM.  In my experience the only module that can be tricky is NAM due to the way it operates and what it is used for.  However, I have found NAM to be tricky upon initial installation & not upgrades.