Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
3
Replies

Setting up AnyConnect SSL VPN on Firepower Using Image

Go to solution
InquiringTech
Level 1
Level 1

‎08-18-2022 02:00 PM

Hi,

We're setting up an AnyConnect VPN on our Firepower 1140. When setting it up on either the ASDM or the CLI, it requires a client image. What is this asking for exactly? All the examples I see are older, with things like anyconnect-win-2.3.0254-k9.pkg. Is this the same as the client the end user would use or is it some special image that is used only on the firewall?

However, if I go to software.cisco.com and find the AnyConnect downloads section, it's just a bunch of files of different types, like 'predeploy' or 'webdeploy'. Is this a newer thing, where it is either one or the other? So if we wanted to do predeploy we'd have to upload the .pkg for that? I also have problems downloading because its asking for entitlement but that is a different question, and its probable my company HQ has the access I need.

Anyway, I have a 'anyconnect-win-4.2.01022-k9.pkg' image loaded on the ASA currently. But the users all have a later version of the client software on their laptops, since they install it using the file 'anyconnect-Windows-4.7.00136-core-vpn-predeploy-k9.msi' (they currently connect to a node in Asia but that is slow so I'm trying to set up one here at the office the US). Would this mismatch cause problems, or is that okay?

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to InquiringTech

‎08-18-2022 02:21 PM

@InquiringTech only the webdeploy/headend packages can be uploaded to the ASA, one for each OS - Windows, MAC and linux. The pre-deploy packages are if you manually install the software on the compueters, they deploy the same software as the headend/webdeploy package.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-18-2022 02:07 PM

@InquiringTech for the remote access vpn to work you need the headend deployment package file (the .pkg file) uploaded to the ASA. As long as you have a version uploaded and defined, then it won't matter the users connect with a newer image version, you just need to ensure you have the package uploaded otherwise VPN users will be unable to connect.

0 Helpful

Go to solution
InquiringTech
Level 1
Level 1
In response to Rob Ingram

‎08-18-2022 02:16 PM

Gotcha, thanks. But from what I'm seeing, the headend only seems to be for the web deploy ones. Which is if the user tries to connect, it then deploys the software to the client. Can only this 'web deploy' one be actually used on the ASA?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to InquiringTech

‎08-18-2022 02:21 PM

@InquiringTech only the webdeploy/headend packages can be uploaded to the ASA, one for each OS - Windows, MAC and linux. The pre-deploy packages are if you manually install the software on the compueters, they deploy the same software as the headend/webdeploy package.

0 Helpful
Customers Also Viewed These Support Documents