Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
0
Helpful
2
Replies

asa 8.4 to 9.1 update anyconnect considerations

wayfaring
Level 1
Level 1

‎02-06-2018 07:02 AM - edited ‎03-12-2019 05:00 AM

I'm researching an asa update from 8.4(7)30 to 9.1.7.23.  Some remote users not simple to admin still have older AnyConnect versions 2.4, 2.5, and 3.1.  Disregarding that 2.x support has ended, would these versions continue to work after the update or break?   Would the https/SSLcertificate currently used require any change at the ASA and clients or continue working as it has been?    Would current licensing continue to work without requiring modification?  Primary concern right now is to not break connectivity for vpn users in distant places until they can be updated or migrated to another solution at a later time.   Thanks


Cisco Adaptive Security Appliance Software Version 8.4(7)30
Device Manager Version 7.1(5)


Hardware:   ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB


Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1


Licensed features for this platform:
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 750            perpetual
Other VPN Peers                   : 750            perpetual
Total VPN Peers                   : 750            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
This platform has an ASA 5520 VPN Plus license.


sh run webvpn
webvpn
 anyconnect-essentials
 anyconnect enable

Labels:
0 Helpful
2 Replies 2

Bogdan Nita
VIP Alumni
VIP Alumni

‎02-06-2018 07:40 AM

According to the following doc you need minimum AnyConnect 3.1.x on ASA 9.1:

https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asa-vpn-compatibility.html

, so I believe the AnyConnect versions 2.4, 2.5 will not work.

License and certificate should not be a problem, you need new licenses for AnyConnect 4.x features.

Not sure you know, AnyConnect is automatically upgraded first time you connect if you have a newer package on the ASA.

 

HTH

Bogdan

0 Helpful

wayfaring
Level 1
Level 1
In response to Bogdan Nita

‎02-06-2018 07:45 AM - edited ‎02-06-2018 10:26 AM

present problem in this environment with the scenario of anyconnect clients automatically updating from the asa would be any users on the windows clients lacking local admin privileges for the installation to complete which is another subject.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents