Upload an AnyConnect Package to ASA from Server

Download the AnyConnect client software packages to your computer and upload them to a remote server accessible from ASAs. Later, use the RA VPN wizard or ASA File Management wizard to upload the AnyConnect software packages from that server to ASAs. DNS must be configured correctly on the device for URLs that use a domain name.

The ASA RA VPN wizard supports uploading packages using HTTP, HTTPS, TFTP, FTP, SMB, or SCP protocols.

The syntax of supported protocols for uploading the file:

Protocol

Syntax

Example
HTTP http://[[path/ ]filename] http://www.geonames.org/data-sources.html
HTTPS https://[[path/ ]filename] https://docs.aws.amazon.com/amazov/tagging.html
TFTP tftp://[[path/ ]filename] tftp://10.10.16.6/ftd/components.html
FTP ftp://[[user[:password]@]server[:port]/[path/ ]filename] ftp://'dlpuser:rNrKYTX9g7z3RgJRmxWuGHbeu'@ftp.dlptest.com/image0-000.jpg
SMB smb://[[path/ ]filename] smb://10.10.32.145//sambashare/hello.txt
SCP scp://[[user[:password]@]server[/path]/ filename] scp://root:cisco123@10.10.16.6//root/events_send.py

Before you begin

Make sure that you download the "AnyConnect Headend Deployment Package" for your desired operating systems. Always download the latest AnyConnect version to ensure that you have the latest features, bug fixes, and security patches. Regularly update the packages on the device.
Important

If you choose to upload the package using the ASA File Management wizard, do not modify the package's name after downloading them.

Note

You can upload one AnyConnect package per Operating System (OS): Windows, Mac, and Linux. You cannot upload multiple versions for a given OS type.

Procedure

Step 1

Download the AnyConnect packages from https://software.cisco.com/download/home/283000185.

  • Make sure you accept the EULA and have K9 (encrypted image) privileges.

  • Select the "AnyConnect Headend Deployment Package" package for your operating system. The package name will be similar to "anyconnect-win-4.7.04056-webdeploy-k9.pkg." There are separate headend packages for Windows, macOS, and Linux.

Step 2

Upload the AnyConnect packages to a remote server. Ensure that there is a network route from the ASA device and the server.

The ASA RA VPN wizard supports uploading packages HTTP, HTTPS, TFTP, FTP, SMB, or SCP protocols.

Important

If you are uploading the AnyConnect package to an HTTPS server, ensure that the following steps are performed:

  • Upload the trusted CA certificate of that server on the ASA device.

  • Install the trusted CA certificate on the HTTPS server.

Step 3

The remote server's URL must be a direct link without prompting for authentication. If the URL is pre-authenticated, you can download the file by specifying the RA VPN wizard's URL.

Step 4

If the remote server IP address is NATed, you have to provide the NATed public IP address of the remote server location.