Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16773
Views
0
Helpful
8
Replies

Force AnyConnect Profile update

Go to solution
dennylester
Level 1
Level 1

‎07-26-2014 09:43 PM - edited ‎02-21-2020 07:45 PM

A year ago I setup an ASA5515x to act as our VPN concentrator with 2 factor authentication using Device Certificates and User Credentials.

 

This worked well for the year until the certificate for the ASA expired. I issued a new certificate from our MS CA infrastructure but the AnyConnect clients wouldn't connect. It would immediately throw an invalid certificate error. I called and worked with TAC and they determined one of my VPN profiles was configured to attempt IPsec first. They changed this setting on the ASA and had me delete the stored AnyConnect profiles from the client. This solved the issue and new profiles were created.

They couldn't tell me why it ran perfectly fine for a year with that setting, but at least they got to the bottom of it. When I compared the difference between the two profiles I found the broken one had an entry of <PrimaryProtocol>IPSec</PrimaryProtocol>.

When I asked how I go about addressing my 100+ clients that are on the road, he told me they would need to delete those profiles. The problem is, our users are not administrators over their workstations so they don't have the permission to delete the profiles from “C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" and since AnyConnect immediately refuses the connection, they're not able to connect to pull down the new profile.

 

Is there a way to force a profile update?

 

Denny

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-27-2014 10:42 AM

I agree with Dinesh and Karthik that you can't push a profile via the ASA without being able to connect. The only option is manual update or some sort of push (via AD GPO, SCCM or such) once the clients are connected directly on the corporate network.

Have you considered just creating and enabling an IPsec profile? Then the clients with that profile could connect without issue.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
nkarthikeyan
Level 7
Level 7

‎07-26-2014 11:58 PM

Hi,

 

I do not think so if you have some option to push the profiles, because your clients will not be able to connect with the VPN itself...... I guess they have to do it manually....

 

Regards

Karthik

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-27-2014 03:31 AM

Hi Denny,

 

Perhaps you can push the profile from your AD to all the users using GPO , the way you push company owned softwares and updates on the users' systems.
Another way , not scalable , is to ask the clients to change the Primary protocol as SSL manually under client profile.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.
 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
dennylester
Level 1
Level 1
In response to Dinesh Moudgil

‎07-27-2014 11:35 AM

Hello,

 

Thank you for replying. As mentioned, these laptops are primarily on the road, so they won't be able to pick up a GPO policy until they connect.

 

Is there a way to toggle to SSL from within the client? Editing the profile by hand requires admin rights to be able to modify the file.

 

Thank you,

 

Denny

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dennylester

‎07-27-2014 12:12 PM

No - you can't modify the transport protocol from the client directly. That is exclusively configured in the profile - which needs to either come from the ASA or be deployed / created manually.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-27-2014 10:42 AM

I agree with Dinesh and Karthik that you can't push a profile via the ASA without being able to connect. The only option is manual update or some sort of push (via AD GPO, SCCM or such) once the clients are connected directly on the corporate network.

Have you considered just creating and enabling an IPsec profile? Then the clients with that profile could connect without issue.

0 Helpful

Go to solution
dennylester
Level 1
Level 1
In response to Marvin Rhoads

‎07-27-2014 12:49 PM

Hi Marvin,

 

Thank you for responding. You may be on to something with enabling IPsec.

Rather than creating a new profile can I enable it on the existing profile but still leave SSL as the primary protocol under the server list entry in the Client Profile Editor? I have several connection profiles matching various items in their certificate to determine which group policy is applied.

 

I'm concerned if I have two profiles matching the same criteria it might cause some issues?


When I get into the office tomorrow I'll give it a whirl.

 

Denny

0 Helpful

Go to solution
dennylester
Level 1
Level 1
In response to Marvin Rhoads

‎07-28-2014 01:18 PM

Hi Marvin,

 

You were spot on with your suggestion. I already had IPsec configured but it suddenly stopped working with the new certificate. I discovered I needed to associate ikev2 to the new Trustpoint.

 

I couldn't find where to do it in ASDM, so command line to the rescue.

 

Thank you,

 

Denny

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dennylester

‎07-28-2014 01:23 PM

Excellent. I'm glad it worked for you.

Thanks for the rating.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents