Upgrading - Uploading AnyConnect Secure Mobility Client v4.x SSL VPN on Cisco ASA 5506-X, 5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X, 5585-X

This article will show how to download and upload the newer AnyConnect 4.x VPN clients to your Cisco ASA Firewall appliance (5500 & 5500-X Series) and configure WebVPN so that the newer AnyConnect VPN client is used and distributed to the remote VPN clients.

The Cisco AnyConnect SSL VPN has become the VPN standard for Cisco equipment, replacing the older Cisco IPSec VPN Client. With the introduction of the newer 4.x AnyConnect, Cisco has made dramatic changes to their licensing and features supported. Our Cisco AnyConnect 4.x Licensing article explains the differences with the newer 4.x licensing and has all the details to help organizations of any size migrate from 3.x AnyConnect to 4.x. You’ll also find the necessary Cisco ordering codes along with their caveats.

Figure 1. Cisco AnyConnect v4.x

The latest AnyConnect client at the time of writing is version 4.2.02075, which is available for Cisco customers with AnyConnect Plus or Apex licenses. Cisco provides both head-end and standalone installer files. The head-end files (.pkg extension) are deployed on the Cisco ASA Firewall and automatically downloaded by the VPN clients once authenticated via the web browser.

Uploading AnyConnect Secure Mobility Packages To The ASA Firewall

Images can be uploaded to the Cisco ASA Firewall via a standard tftp client using the copy tftp flash: command:

We repeat the same commands until all 3 files have been uploaded so we can fully support Windows, Linux and MAC OS clients.

Using the dir command at the end of the process confirms all files have been successfully uploaded to our ASA Firewall:

Registering The New AnyConnect Packages

Assuming AnyConnect is already configured on your ASA Firewall, registering the new packages is a very simple process. In the near future, we’ll be including a full guide on how to setup AnyConnect Secure Mobility on Cisco ASA Firewalls.

Enter configuration mode and in the webvpn section add the following commands:

When dealing with multiple clients (supported platforms) of AnyConnect, assign an order to the client images using the numbers (1, 2, 3) at the end of each package command as shown above.

Previous versions of AnyConnect packages (.pkg) can be removed from the configuration by using the no anyconnect image disk0:/anyconnect-win-xxxxx-k9.pkg command.

Verifying The New AnyConnect Packages

As a final step, we can verify that the AnyConnect packages have been successfully installed using the show webvpn anyconnect command:

This completes the upgrade process of AnyConnect Secure Mobility Client on an ASA Firewall Security appliance. We saw all CLI commands involved to upload and register the new AnyConnect packages, remove the old AnyConnect packages and finally verify the packages are correctly registered for usage.