Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
152
Views
0
Helpful
1
Replies

AnyConnect downloads ISE compliance module upon every connect

tvotna
Spotlight
Spotlight

‎03-28-2024 04:03 AM

Hi. After AnyConnect upgrade from 4.10MR2 to 4.10MR7 (pre-deploy) it downloads ISE compliance module 4.3.2403.6145 from ISE upon every connect and tries to install it, although 4.3.2403.6145 module already installed.

I know there is a workaround to configure deferred updates on the ISE, but I want to understand if this behavior is a bug and, if not, why this is implemented in such a stupid way. I.e. why AnyConnect downloader cannot compare versions automatically and skip the update if the same version is already installed? Can ISE compliance module upgrade on ISE help in this situation?

Thanks.

 

0 Helpful
1 Reply 1

Pulkit Mittal
Level 1
Level 1

‎03-28-2024 04:11 AM

  1. Understanding the Behavior:

    • When AnyConnect connects to ISE, it checks for the compliance module version.
    • If the compliance module version on the client does not match the one configured on ISE, AnyConnect initiates a download and installation process.

  2. Possible Causes:

    • Version Mismatch: There might be a discrepancy between the compliance module version on the client and the one expected by ISE.
    • Configuration Issue: Incorrect configuration settings in ISE or AnyConnect could trigger repeated downloads.

  3. Workaround:

    • You mentioned the workaround of configuring deferred updates on ISE. This is a valid approach to prevent unnecessary downloads.
    • Deferred updates allow you to control when the client installs updates, reducing the impact on end-users.

  4. Is It a Bug?:

    • While this behavior might seem like a bug, it’s essential to verify the following:
      • ISE Configuration: Double-check your ISE configuration to ensure it specifies the correct compliance module version.
      • AnyConnect Profiles: Review your AnyConnect profiles to confirm they align with ISE requirements.
      • Logging and Debugging: Enable detailed logging and debugging on both ISE and AnyConnect to identify any anomalies.

  5. Next Steps:

    • Logs: Analyze logs from both sides (ISE and AnyConnect) to pinpoint any errors or unexpected behavior.
    • Cisco Support: If the issue persists, consider reaching out to Cisco support. They can provide insights and help determine if this behavior is indeed a bug.

If you find this useful, please mark it helpful and accept the solution.

0 Helpful
Customers Also Viewed These Support Documents