06-01-2017 07:21 AM
Hi team,
I have a large NAM customer that I'm working with who has continually run into issues with the NAM client due to the changes that Microsoft makes regularly to how the networking drivers interact with the AnyConnect NAM client.
The biggest issue they run into is that older versions of NAM are rolled back to, or that they can't upgrade devices in place as Microsoft moves to a deployment services model with a new service patch every month or so. When this occurs, they almost always hit a blue screen or bug with NAM. Right now they would just be happy with a work around of a clean uninstall script for NAM and all AnyConnect components, which does not exist - registry information continues to exist for AnyConnect which impacts the install and rolls back the version, causing a continual issue unless manual intervention is used. Is something like this being developed or does it currently exist? Is there any way to completely remove all NAM and AnyConnect components to ensure that a clean install will fix issues after upgrade?
Are we working with Microsoft to better align with their upgrade models so that we don't have compatibility issues in the first place, so I can better assure the customer of our commitment to their success?
Solved! Go to Solution.
06-06-2017 08:12 AM
Hi Patrick,
The VPN disconnects when connecting on WiFi is a known issue which appears to be another Microsoft upgrade issue. We currently have a Premier case open with them to investigate and they have reproduced the issue. We have a defect filed for referencing with customers, (CSCvd73562)
The original issue upgrading from 1511 to 1607 was fixed as long as you install the April 11th Windows 10 patch while doing the upgrade. We also have another issue where Microsoft requires you to uninstall NAM when upgrading to 1703. Microsoft mistakenly put a block on Win 10 to Win 10 + upgrades when NAM is installed. The block should only exist when upgrading from Win 7 or 8(.1). Microsoft is correcting this in a June release.
Thanks,
Steve S.
06-05-2017 08:07 PM
Hello Patrick,
Is there a TAC case open on this open or closed? Are you saying when they encounter an issue after a Microsoft update they are uninstalling (or attempting to) NAM in order to load an older version of NAM?
Adding Steve also since I found a case escalated with similar problem description
@stsargen
@pcarco
I found this workaround which is probably what your customer doing ?
"
The fix
that works for most is to uninstall the rest, delete the Cisco folders in
Program Files (x86) and ProgramData, then use ccleaner to clean the registry
removing leftover Cisco entries. This has allowed the new version to install"
I am almost certain there is no work going on with Microsoft specific to NAM and their upgrade models but have added Pete.
@psd
@stsargen
06-06-2017 05:25 AM
Hi Paul,
Yes there is a TAC case which resulted in opening a support case with
Microsoft Premier to see what has changed and how NAM interacts with their
supplicant as a result.
SR is 682419950
V/R,
Patrick Lloyd
Security Solutions Architect
CCIE R&S #39750, CISSP
Cisco Security Solutions
.:|:..:|:. Cisco Systems
732-516-5611
06-06-2017 08:12 AM
Hi Patrick,
The VPN disconnects when connecting on WiFi is a known issue which appears to be another Microsoft upgrade issue. We currently have a Premier case open with them to investigate and they have reproduced the issue. We have a defect filed for referencing with customers, (CSCvd73562)
The original issue upgrading from 1511 to 1607 was fixed as long as you install the April 11th Windows 10 patch while doing the upgrade. We also have another issue where Microsoft requires you to uninstall NAM when upgrading to 1703. Microsoft mistakenly put a block on Win 10 to Win 10 + upgrades when NAM is installed. The block should only exist when upgrading from Win 7 or 8(.1). Microsoft is correcting this in a June release.
Thanks,
Steve S.
06-07-2017 10:16 AM
Thanks Steven,
It seems like the biggest customer hardship that customers are running into is that the AnyConnect uninstaller doesn't remove it completely, it leaves evidence which is reused when a new installation is done, and this causes issues with the new Windows version all over again. Are there any plans on changing this behavior to completely remove all files associated to the installation so that this is less of an issue and preventing the customer from having to install another application to clean up what is seen as a "Cisco mess"?
06-07-2017 10:31 AM
Hi Patrick,
Some files are left behind with uninstalls of AnyConenct, VPN,NAM, WebSec etc. This is in case the upgrade is being done. This includes things like config, preferences etc. I think what you are referring to is driver related files. In this case most of this is up to the windows OS to remove. On uninstall we make a call to setupAPI to uninstall our driver. Microsoft handles this behind the scenes and return a success or failure to NAM uninstall. all of the cases we have seen wih Windows 10 so far related to this are Microsoft bugs. I don't think we have any plans to change our behavior, unless we have a bug. We also don't have any cleanup utility since a lot of the registry keys Microsoft creates are dynamic and we would not know exactly what to remove.
Thanks,
Steve S.
06-07-2017 11:28 AM
Steven,
Can you confirm the version of AnyConnect or NAM which fixed this issue in April? Is that 4.4 MR3 or is it specific to a NAM version which is bundled with one of the AnyConnect packages?
06-07-2017 11:46 AM
Hi Patrick,
The April 11th build was referring to a Microsoft patch release(KB4015217). So far all of the upgrade issue we have found with Windows 10 have resulted in Microsoft defects and NOT issue with AnyConnect.
08-02-2018 07:57 AM
Hi, could anyon please advise whether it's possible to upgrade from Windows 1607 to 1709 without first uninstalling NAM? If yes, is a specific NAM version or patch required? Right now we have a task sequence to reinstall NAM post Windows upgrade which intermittently fails which then puts our PC's out of ISE (NAC) compliance. Not having to uninstall / reinstall NAM would eliminate this issue. Thank you
08-07-2018 01:59 PM - edited 08-07-2018 01:59 PM
I would suggest testing any feature upgrade of Windows. We have had problems with each upgrade Microsoft releases. This is a very difficult situation at this point because no one seems to be resolving the issue. We have even had to completely re-image some machines because of this. There doesn't appear to be any consistency to the failures either.
Right now I am working on a machine that we upgraded to 1803. After upgrading to 1803, we uninstalled the existing Anyconnect, deleted all folders, then ran ccleaner to remove all registry entries associated with Anyconnect, then rebooted. After the reboot, we ran an install script to install 4.6.01098 NAM, VPN, and Umbrella. The install completed, then we rebooted. The machine is failing to authenticate using the wired connection. The wireless connection works as expected (Machine Auth). After checking ISE to see why the wired connection wasn't working, I discovered ISE never saw an authentication attempt. After logging into the switch and enabling authentication debugs, the switch isn't seeing any authentication packets from the supplicant. Anyconnect has just decided to not work with the wired connection. Works perfect with wireless.
These issues are really starting to drive a wedge into our attempt to implement end to end Cisco solutions.
06-06-2019 08:17 PM
When in June will this patch be available?
06-12-2019 05:08 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide