Skip to main content

 

 

Cisco Defense Orchestrator

Manage AnyConnect Software Packages on ASA Devices

Download the AnyConnect client software packages to your computer and upload them to a remote server accessible from ASAs. Later, use the RA VPN wizard or ASA File Management wizard to upload the AnyConnect software packages from that server to ASAs. 

You can upload one AnyConnect package per Operating System (OS): Windows, Mac, and Linux. You cannot upload multiple versions for a given OS type. The ASA RA VPN wizard supports uploading packages using HTTP, HTTPS, TFTP, FTP, SMB, or SCP protocols.

The syntax of supported protocols for uploading the file:

Protocol Syntax Example
HTTP http://[[path/ ]filename] http://www.geonames.org/data-sources.html
HTTPS https://[[path/ ]filename] https://docs.aws.amazon.com/amazov/tagging.html
TFTP tftp:// [[path /]filename] tftp://10.10.16.6/ftd/components.html
FTP ftp:// [[user [: password ]@ ]server [:port ]/ [path /]filename ftp://'dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu'@ftp.dlptest.com/image0-000.jpg
SMB smb: //[[path / ]filename ] smb://10.10.32.145//sambashare/hello.txt 
SCP scp:// [[user [: password ]@ ]server [/ path ]/filename scp://root:cisco123@10.10.16.6//root/events_send.py

Download AnyConnect Client Software Packages

Make sure that you download the "AnyConnect Headend Deployment Package" for your desired operating systems. Always download the latest AnyConnect version to ensure that you have the latest features, bug fixes, and security patches. Regularly update the packages on the device.

Important: If you choose to upload the package using the ASA File Management wizard, do not modify the package's name after downloading them.

Note You can upload one AnyConnect package per Operating System (OS): Windows, Mac, and Linux. You cannot upload multiple versions for a given OS type.

  1. Download the AnyConnect packages from https://software.cisco.com/download/home/283000185
    • Make sure you accept the EULA and have K9 (encrypted image) privileges.
    • Select the "AnyConnect Headend Deployment Package" package for your operating system. The package name will be similar to "anyconnect-win-4.7.04056-webdeploy-k9.pkg." There are separate headend packages for Windows, macOS, and Linux.
  2. Upload the AnyConnect packages to a remote server. Ensure that there is a network route from the ASA device and the server.

    The ASA RA VPN wizard supports uploading packages HTTP, HTTPS, TFTP, FTP, SMB, or SCP protocols.

       Important: If you are uploading the AnyConnect package to an HTTPS server, ensure that the following steps are performed: 

  • Upload the trusted CA certificate of that server on the ASA device. 
  • Install the trusted CA certificate on the HTTPS server. 
  1. The remote server's URL must be a direct link without prompting for authentication. If the URL is pre-authenticated, you can download the file by specifying the RA VPN wizard's URL.
  2. If the remote server IP address is NATed, you have to provide the NATed public IP address of the remote server location. 

Upload new AnyConnect Packages to ASAs

You can either use the RA VPN wizard or ASA File Management wizard to upload the AnyConnect software packages to ASAs. 

Upload AnyConnect Packages using RA VPN Wizard

Use the following procedure to upload new AnyConnect packages to an ASA device from a server:

  1. In the AnyConnect Package Detected, you can upload separate packages for Windows, Mac, and Linux endpoints.
  2. In the corresponding platform field, specify the server's paths where the AnyConnect packages compatible for Windows, Mac, and Linux are pre-uploaded. 
    Examples of server paths: 'http://<ip_address>:port_number/<folder_name>/anyconnect-win-4.8.01090-webdeploy-k9.pkg',
    'https://<ip_address>:port_number/<folder_name>/anyconnect-linux64-4.7.03052-webdeploy-k9.pkg'.
  3. ClickUpload_AnyConnect.JPG to upload the package. CDO validates if the path is reachable and the specified filename is a valid package.
    When the validation is successful, the names of the AnyConnect packages appear.
    As you add more ASA devices to the RA VPN configuration, you can upload the AnyConnect packages to them. 
  4. Click OK. The AnyConnect packages are added to the RA VPN configuration.
  5. Continue to Create an RA VPN Configuration from step 5 onwards.

To complete a VPN connection, your users must install the AnyConnect client software on their workstation. For more information, see How Users Can Install the AnyConnect Client Software on ASA.

Upload AnyConnect Packages using File Management Wizard

Use the File Management wizard to upload AnyConnect packages to a single or multiple ASA devices from an HTTP, HTTPS, TFTP, FTP, SMB, or SCP server. When you want to push AnyConnect packages to multiple ASA devices simultaneously, the bulk upload comes in handy. For more information, see ASA File Management

Important: If you choose to upload the package using the ASA File Management wizard, do not modify the package's name after downloading them.

Once the upload is complete, open the ASA RA VPN Configuration wizard and notice that the packages are auto-detected. If you upload multiple packages for an OS version, the wizard lists them in a drop-down allowing you to select one among them. Then, you can create the RA VPN configuration and deploy them to the devices. 

Replace an Existing AnyConnect Package

If the AnyConnect packages are already present on the devices, you can see them in the RA VPN wizard. You can see all the available AnyConnect packages for an operating system in a drop-down list. You can select an existing package from the list and replace it with a new one but can't add a new package to the list.

Note: If you want to replace an existing package with a new one, ensure that the new AnyConnect package is uploaded already to a server on the network that the ASA can reach.

  1. In the CDO navigation bar at the left, click VPN > Remote Access VPN
  2. Select the RA VPN configuration to be modified, and under Actions, click Edit
  3. In AnyConnect Packages Detected, clickEdit_AnyConnectPackage.JPG icon appearing beside the existing AnyConnect package. If there are multiple versions of AnyConnect package for an operating system, select the package you want to replace from the list and click Edit.
    The existing package disappears from the corresponding field.
  4. Specify the server's path where the new AnyConnect package is preloaded and clickUpload_AnyConnect.JPG to upload the package.
  5. Click OK. The new AnyConnect package is added to the RA VPN configuration.
  6. Continue to Create an RA VPN Configuration from step 6 onwards.

Delete the AnyConnect Package

  1. In the CDO navigation bar at the left, click VPN > Remote Access VPN.
  2. Select the RA VPN configuration to be modified, and under Actions, click Edit
  3. In AnyConnect Packages Detected, click Delete_AnyConnect.JPG icon appearing beside the AnyConnect package that you want to delete. If there are multiple versions of AnyConnect package for an operating system, select the package you want to delete from the list.
    The existing package disappears from the corresponding field.
    Note: Click Cancel to stop the delete operation and retain the existing package, 
  4. Click OK. The device's Configuration Status is in 'Not Synced' state. 
    Note: If you want to undo the delete action at this stage, go to Device & Services page and click Discard Changes to retain the existing AnyConnect package. 
  5. Review and deploy configuration changes to the devices.
  • Was this article helpful?