@Rob IngramThanks for the support. I assumed the profile wasn't the issue since I copied it from a 4.6 device but I will double check it. In your opinion are there any drawback from using dtls1.2 compared to ipsec?

@KGrev none, comparable performance and security. Some organisations use IPSec for compliance reasons.

If you wish to use DTLS/TLS, then tweak the ciphers to support the latest and most secure - example.

@Rob IngramWhen I look at the profile on the client it appears to be set for ipsec.

@KGrev is all you've done is upgrade anyconnect?

I assume the ASA configuration is unchanged? and IKEv2 is enabled under the group-policy attached to the tunnel-group?

@Rob IngramYes sir, only changes were on the laptop

Other laptops are still connecting to the current setup as ikev2

It appears that for some reason the client is being assigned to the incorrect group-policy on the ASA. When they connect, check the output of "'show vpn-sessiondb detailed anyconnect filter name <username>". Compare the assigned tunnel-group (connection profile) and group-policy with a working user.

@Marvin Rhoads @MHM Cisco World  Thanks for your response. Here is the output showing two different tunnels on two latops under my username.

FW1-EXT/pri/act# show vpn-sessiondb detail anyconnect filter name

Session Type: AnyConnect Detailed

Username : kenny.########### Index : 71768
Assigned IP : A.B.242.45 Public IP : A.B.131.137
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA256
Bytes Tx : 54314263 Bytes Rx : 61112796
Pkts Tx : 101579 Pkts Rx : 116034
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ABCSRGroupPolicy1 Tunnel Group : ABCSR
Login Time : 14:23:06 UTC Mon Mar 6 2023
Duration : 1h:41m:01s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a02158a118580006405f74a
Security Grp : none

Username : kenny.@@@@@@@@@@@ Index : 71819
Assigned IP : A.B.242.46 Public IP : A.B.153.124
Protocol : IKEv2 IPsecOverNatT AnyConnect-Parent
License : AnyConnect Essentials
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256 AnyConnect-Parent: (1)none
Hashing : IKEv2: (1)SHA256 IPsecOverNatT: (1)SHA1 AnyConnect-Parent: (1)none
Bytes Tx : 99977 Bytes Rx : 48387
Pkts Tx : 225 Pkts Rx : 291
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ABCSRGroupPolicy1 Tunnel Group : ABCSR
Login Time : 16:07:04 UTC Mon Mar 6 2023
Duration : 0h:00m:42s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a02158a1188b00064060fa8
Security Grp : none

you see public IP is change so even if same username/paswword the session is different.

@MHM Cisco WorldYes, I stated it was different sessions to compare results.

@KGrev so what's the difference in the client configuration on those 2 laptops?

The tunnel-group/group-policy is obviously allowing ikev2 and ssl-client connections, so is one laptop configured with an XML profile to explictly use IKEv2/IPSec and the other laptop not configured with a profile, hence the DLTS tunnel?

@Rob IngramI think I see the issue. I placed my previous profile in the same place as the other laptops but there is a "MgmtTun" folder one step deeper that has the new "anyconnectProfile.xsd" file. Its probably because I havent edited that file.

@KGrev unlikely, you shouldn't have to modify the Mgmt Tunnel for a user VPN.

@Rob Ingramyou're right, it even connected fine with I moved to file out of the folder. It feels like I don't have the correct profile in the right place or its just not using it for some reason.