Re: Connecting AnyConnect Push Update

Azlan.my07 · ‎04-24-2022

Hello,

Is there a way to completely disable updates Anyconnect when connecting to remote with the Cisco Anyconnect Secure Mobility Client (VPN)?

I disabled "Auto Update" in the profile, but the problems persist. Is there any missing settings that I need to change? To clarify, we do not use Cisco Umbrella.

I'm hoping that someone with experience or knowledge of how to resolve this can share it with me without requiring any changes on the user's end, as we have a large number of users connected to VPN.

Thanks

Udupi Krishna. · ‎04-25-2022

Setting the XML auto update option to false is the correct procedure.

Do you see this happening with multiple users or just a few of them. Verify if the XML file is present on the user's PC, if yes check if the profile contains auto update - false entry.

There's also a chance that a connection attempt is made to a FQDN/URL which doesn't match the XML profile (which has autoupdate set to false) and in such instances anyconnect will inherit the default preferences which has auto update set to true.

Azlan.my07 · ‎04-25-2022

Hi @Udupi Krishna. just few of them facing this issue and we have one profile only.

Basically we have 2 ASA load balancing , each of them using same single profile.

Mike.Cifelli · ‎04-25-2022

What are the client AnyConnect versions in use that you are claiming are forced to upgrade upon connection? And what are the supported/enabled AnyConnect webdeploy versions enabled on the ASAs?

Azlan.my07 · ‎04-27-2022

version lower than webdeploy version I've already turned off "Auto Update," but it continues to update.

Azlan.my07 · ‎04-27-2022

I found from user end this message...

"Downloading AnyConnect ISE Posture 4.8.02045..."

any idea? and yes we have ISE

Saurabh Dhakate · ‎04-26-2022

Please try changing <BypassDownloader> preference to 'true' in the AnyConnectLocalPolicy.xml present under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client. For macOS, it would be present under /opt/cisco/anyconnect.

To change this preference, you could use VPN Local Policy Editor from Profile Editor msi present on CCO (tools-anyconnect-win-x.y.zzzz-profileeditor-k9.msi). Changing this preference would disable the downloader completely and no further updates of modules, profiles, localisation would take place. After changing, it should appear as below

Once you test on a testing endpoint, this file can be pushed to all the endpoint via out of bound mechanism such as SCCM or any other central management services.

Azlan.my07 · ‎04-27-2022

@Saurabh Dhakate Can push from ASA? or update from ASA?

Saurabh Dhakate · ‎04-28-2022

I assume the testing on test endpoint was helpful. No, it cannot be pushed through ASA. It has to have some out of bound mechanism for that file push operation in mass scale.

Mike.Cifelli · ‎04-28-2022

version lower than webdeploy version I've already turned off "Auto Update," but it continues to update.

-Add the version of the user clients you are wishing to not upgrade to as a supported version and entry 1. Then the users will not be forced to upgrade. Example:

anyconnect image disk0:/anyconnect-win-4.8.xxx-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.10.xxxx-webdeploy-k9.pkg 2

This would allow 4.8 clients to connect without being upgraded, but allow you phase rollout 4.10 to clients and still support that version. Not really sure why you wouldnt want to upgrade, but this would do the trick. HTH!

Azlan.my07 · ‎05-09-2022

@Mike.Cifelli Great trick! I will try this method. Thanks Mike!

Peter Koltl · ‎05-02-2022

I guess you are not seeing an image update, you are seeing additional module download.

"Downloading ISE posture" is caused by this group-policy setting:


group-policy GP-test attributes
...
  webvpn
     anyconnect modules value iseposture

Azlan.my07 · ‎05-09-2022

@Peter Koltl I will double check this setting. Thanks Peter!