Skip to main content

Upgrading - Uploading AnyConnect Secure Mobility Client v4.x SSL VPN on Cisco ASA 5506-X, 5508-X, 5512-X, 5515-X, 5516-X, 5525-X, 5545-X, 5555-X, 5585-X

This article will show how to download and upload the newer AnyConnect 4.x VPN clients to your Cisco ASA Firewall appliance (5500 & 5500-X Series) and configure WebVPN so that the newer AnyConnect VPN client is used and distributed to the remote VPN clients.

The Cisco AnyConnect SSL VPN has become the VPN standard for Cisco equipment, replacing the older Cisco IPSec VPN Client. With the introduction of the newer 4.x AnyConnect, Cisco has made dramatic changes to their licensing and features supported. Our Cisco AnyConnect 4.x Licensing article explains the differences with the newer 4.x licensing and has all the details to help organizations of any size migrate from 3.x AnyConnect to 4.x. You’ll also find the necessary Cisco ordering codes along with their caveats.

cisco-asa-firewall-anyconnect-secure-mobility-4-upgrade-1

Figure 1. Cisco AnyConnect v4.x

The latest AnyConnect client at the time of writing is version 4.2.02075, which is available for Cisco customers with AnyConnect Plus or Apex licenses. Cisco provides both head-end and standalone installer files. The head-end files (.pkg extension) are deployed on the Cisco ASA Firewall and automatically downloaded by the VPN clients once authenticated via the web browser.

Uploading AnyConnect Secure Mobility Packages To The ASA Firewall

Images can be uploaded to the Cisco ASA Firewall via a standard tftp client using the copy tftp flash: command:

ASA-5506X# copy tftp flash:
Address or name of remote host []? 192.168.10.54
Source filename []? anyconnect-win-4.2.02075-k9.pkg
Destination filename [anyconnect-win-4.2.02075-k9.pkg]? [Hit Enter to keep same filename]
Accessing tftp://192.168.10.54/anyconnect-win-4.2.02075-k9.pkg...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/anyconnect-win-4.2.02075-k9.pkg !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
INFO: No digital signature found
 
19426316 bytes copied in 85.820 secs (228544 bytes/sec)

We repeat the same commands until all 3 files have been uploaded so we can fully support Windows, Linux and MAC OS clients.

Using the dir command at the end of the process confirms all files have been successfully uploaded to our ASA Firewall:

ASA-5506X# dir
Directory of disk0:/
97     -rwx 69454656     18:01:00 Aug 04 2015 asa941-lfbff-k8.SPA
98     -rwx 26350916     18:01:34 Aug 04 2015 asdm-741.bin
99     -rwx 33           04:09:03 Feb 27 2016 .boot_string
11     drwx 4096         18:04:04 Aug 04 2015 log
22     drwx 4096         18:05:10 Aug 04 2015 crypto_archive
23     drwx 4096         18:05:30 Aug 04 2015 coredumpinfo
100   -rwx 41836544     18:10:02 Aug 04 2015 asasfr-5500x-boot-5.4.1-211.img
103   -rwx 19426316     06:58:37 Feb 27 2016 anyconnect-win-4.2.02075-k9.pkg
104   -rwx 12996288     07:01:17 Feb 27 2016 anyconnect-linux-64-4.2.02075-k9.pkg
105   -rwx 17519719     07:04:26 Feb 27 2016 anyconnect-macosx-i386-4.2.02075-k9.pkg
7859437568 bytes total (4448530432 bytes free)
 
ASA-5506X#

Registering The New AnyConnect Packages

Assuming AnyConnect is already configured on your ASA Firewall, registering the new packages is a very simple process. In the near future, we’ll be including a full guide on how to setup AnyConnect Secure Mobility on Cisco ASA Firewalls.

Enter configuration mode and in the webvpn section add the following commands:

ASA-5506X(config)# webvpn
ASA-5506X(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.2.02075-k9.pkg 1
ASA-5506X(config-webvpn)# anyconnect image disk0:/anyconnect-linux-64-4.2.02075-k9.pkg 2
ASA-5506X(config-webvpn)# anyconnect image disk0:/anyconnect-macosx-i386-4.2.02075-k9.pkg 3
ASA-5506X(config-webvpn)# anyconnect enable

When dealing with multiple clients (supported platforms) of AnyConnect, assign an order to the client images using the numbers (1, 2, 3) at the end of each package command as shown above.

Previous versions of AnyConnect packages (.pkg) can be removed from the configuration by using the no anyconnect image disk0:/anyconnect-win-xxxxx-k9.pkg command.

Verifying The New AnyConnect Packages

As a final step, we can verify that the AnyConnect packages have been successfully installed using the show webvpn anyconnect command:

ASA-5506X# show webvpn anyconnect
 
1. disk0:/anyconnect-win-4.2.02075-k9.pkg 1 dyn-regex=/Windows NT/
CISCO STC win2k+
4,2,02075
Hostscan Version 4.2.02075
Wed 02/17/2016 23:34:33.75
 
2. disk0:/anyconnect-linux-64-4.2.02075-k9.pkg 2 dyn-regex=/Linux x86_64/
CISCO STC Linux_64
4.2.02075
Wed Feb 17 23:03:53 EST 2016
 
3. disk0:/anyconnect-macosx-i386-4.2.02075-k9.pkg 3 dyn-regex=/Intel Mac OS X/
CISCO STC Darwin_i386
4.2.02075
Wed Feb 17 23:59:03 EST 2016
 
3 AnyConnect Client(s) installed

This completes the upgrade process of AnyConnect Secure Mobility Client on an ASA Firewall Security appliance. We saw all CLI commands involved to upload and register the new AnyConnect packages, remove the old AnyConnect packages and finally verify the packages are correctly registered for usage.

Your IP address:

3.145.77.141

All-in-one protection for Microsoft 365

All-in-one protection for Microsoft 365

FREE Hyper-V & VMware Backup

FREE Hyper-V & VMware Backup

Wi-Fi Key Generator

Generate/Crack any
WEP, WPA, WPA2 Key!

Network and Server Monitoring

Network and Server Monitoring

Follow Firewall.cx

Cisco Password Crack

Decrypt Cisco Type-7 Passwords on the fly!

Decrypt Now!

Bandwidth Monitor

Zoho Netflow Analyzer Free Download

Free PatchManager

Free PatchManager

EventLog Analyzer

ManageEngine Eventlog Analyzer

Security Podcast

Hornet-Security-The-Swarm-Podcast

Firewall Analyzer

zoho firewall analyzer