Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
1
Replies

Best Practice Question - Updating AnyConnect while connected

kheldorn
Level 1
Level 1

‎08-26-2020 01:29 AM

We want to update AnyConnect from 4.7.02036 to 4.9.01095 but while testing I ran into a little issue.

 

With the whole Corona/Covid thing going on a lot of our users are sitting at home with their VPN connections established instead of regularly bringing their devices in where updating would not be a problem. But when I update the AnyConnect core package (anyconnect-win-4.9.01095-core-vpn-predeploy-k9.msi) the VPN connections gets dropped any AnyConnect does not start up again on its own.

This is a problem because the users are not used to having to start AnyConnect through the startmenu but expect the "that round icon" to be present in the system tray - which it is not after the update until you have restarted the system or started AnyConnect again manually.

 

The command I'm using for the update is the following (which will be executed by the SCCM client running on all devices):

msiexec /i anyconnect-win-4.9.01095-core-vpn-predeploy-k9.msi /qn /norestart

 

Updating the SBL module on the other hand proves no problem and can happen even while the VPN connection is established.

 

Anyone got any recommendations on how to handle the update of connected VPN clients?

 

Oh, before I forget. The automatic update through the server when AnyConnect connects is currently not possible for various reasons. (Mainly that I'm not in charge of that part of the setup and the person in charge not being interested in doing anything about it.)

Labels:
0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-26-2020 11:01 AM

I recently have gone through a similar situation while attempting to rely on the ISE client provisioning portal. This one is tough IMO. From my experiences if you tail AnyConnect event viewer logs on a remote client you will see informational logs that essentially state this:
-AnyConnect Downloader cannot perform required updates while the VPN tunnel is established.
-Required updates cannot be performed while the VPN tunnel is established
-Automatic software updates are required but cannot be performed while the VPN tunnel is established. Contact your system administrator.
One thing you could do is possibly advertise it out via Software Center, and provide an SOP for end users on how to run the advertised packaged to perform the upgrade etc. The tricky part here is if someone gets hosed they will more than likely need a local admin account to aide in bailing them out and getting them back online. I would strongly recommending testing further to find what fits your environment best. Lastly, I truthfully think convincing your person in charge to configure/test the automatic update that you mentioned last may be your best bet.
For Cisco WebDeploy documentation see: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/deploy-anyconnect.html#ID-1425-000003d1
0 Helpful
Customers Also Viewed These Support Documents