Skip to main content



Cisco Defense Orchestrator

Upgrade AnyConnect Package on an FTD Version 6.4.0

You can use CDO to upgrade the AnyConnect package available on a Firepower Threat Defense (FTD) device so that it can be distributed to RA VPN users.

The following are the major steps that are involved in upgrading the AnyConnect package:

  1. Use Firepower Device Manager (FDM) to remove the AnyConnect package and upload a later version of the package.
    Use one of these methods to accomplish this task.
    • Remove the old package and upload the new package from the FDM UI.
    • Remove the old package and upload the new package from the FDM API explorer.
  2. Deploy FDM changes to FTD.
  3. Read the new configuration information into CDO.
  4. Verify the new package in the RA VPN connection profile.


  • A minimum of one RA VPN configuration with connection profile is already deployed to FTD.
  • Download the AnyConnect package that you want from Cisco recommends upgrading to the latest available package.

Upload your desired AnyConnect Package to FTD using FDM

  1. Using a browser, open the home page of the system. For example,

  2. Log into Firepower Device Manager.

  3. Click View Configuration in the Device > Remote Access VPN group.
    The group shows summary information on how many connection profiles and group policies are currently configured.

  4. Click the view (View_icon_FDM.jpg) button (View configuration button.) to open a summary of the connection profile and connection instructions. 
    Note: You can edit any one of the connection profiles to upload the AnyConnect package to the FTD device.

  5. Click the Edit button to make changes.

  6. Click Next until the Global Settings screen appears.
    The AnyConnect Package shows AnyConnect packages available on the FTD device.

  7. Click 'X' button to remove the AnyConnect package which you want to replace.

  8. Click Upload Package and then click the OS that you want for uploading the compatible package.

  9. Select the package and click Open.
    You can see the package being uploaded on the FDM UI.

  10. Click Finish.
    The configuration is saved.

Note: Alternatively, you can use the FDM API explorer to remove and upload a new AnyConnect package.

  1. Edit the URL to point to /#/api-explorer, for example,  
  2. Delete a package from the FTD device, click AnyConnectPackageFile > Delete. In the objID field, type the package id and
    click TRY IT OUT!.
  3. Upload a new package by performing the steps that are described in the Upload AnyConnect Software Packages to Firepower Threat Defense Devices section. 
  1. Click the Deploy Changes icon in the upper right of the web page.
    The icon is highlighted with a dot when there are undeployed changes.
  2. If you are satisfied with the changes, you can click Deploy Now to start the job immediately.
    The window shows that the deployment is in progress. You can close the window, or wait for the deployment to complete.

Verify the new package is referenced in the RA VPN connection profile

  1. In the CDO navigation bar at the left, click Devices & Service
  2. Select the FTD device which has the upgraded AnyConnect package. This device would be reporting conflict. 
  3. Accept the Out-of-band changes to overwrite the configuration and any pending changes stored on CDO with the device's running configuration. For more information, see 'Resolve "Conflict Detected Status." 
  4. View the new AnyConnect package by performing the following:
    • Click VPN > Remote Access VPN.
    • Click the RA VPN configuration that is associated with this FTD device.
    • Click Edit under Actions.
      The new package is displayed under Devices.
  • Was this article helpful?