Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco anyconnect to replace cisco vpn client

Unanswered Question
Jul 1st, 2014
User Badges:

What download do I use to install a Cisco anyconnect to replace cisco vpn client?  I want to try this on windows 7 & windows 8


I had a look at the downloads section but I wasn't sure what I needed to download




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marvin Rhoads Tue, 07/01/2014 - 15:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

It's not a straight replacement.

The legacy Cisco IPsec client works with an IPsec remote access (RA) VPN.

The AnyConnect Secure Mobility client supports two types of RA VPN configurations:

     1. IPsec only with IKEv2 (requires updated software and configuration to replace an IPsec IKEv1 RA VPN)

     2. Full-tunnel SSL VPN

So the head end (ASA or IOS router) needs to change configuration as well if you desire to change clients.

If you deploy via a package on the headend you would use:


If you deploy as a standalone package (i.e not downloading from head end) then use:


In the case of the ISO file you need to unpackage it (I find 7-zip works nicely) and run "setup.exe" from the included files (allows you to choose from among all the modules) or just the "anyconnect-win-3.1.05170-pre-deploy-k9.msi" (VPN module only). You can also burn the ISO to a DVD or CD if you're so inclined.

Note the above files are the current releases as of 1 July 2014. Future readers of this thread will have to check for current releases.

ohareka70 Mon, 07/07/2014 - 09:02
User Badges:

Are we definately talking about the same thing? At the moment i am using the Cisco Systems VPN client Version to login and authenticate on the Cisco ASA remotely.  Then i have the firewall rules in place to talk to certain servers on the network.


I was under the impression i need to move to Cisco Anyconnect soon?





Richard Bradfield Mon, 07/07/2014 - 17:24
User Badges:
  • Silver, 250 points or more


You have to ensure your ASA is licensed for Anyconnect

do a 'show version' from the CLI on the ASA

AnyConnect Premium Peers          : 500            perpetual
AnyConnect Essentials             : Disabled       perpetual

download the  anyconnect-win-3.1.05170-k9.pkg to your ASA

configure your ASA for Anyconnect, the previous answer to this will help you.

once done all you need to do from your remote client is an HTTPS://to the public address of your ASA, accept the certificates etc, and the Anyconnect software will be down loaded to your client





Marvin Rhoads Mon, 07/07/2014 - 19:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Yes, migration off of the Cisco VPN client for a remote access VPN is the Cisco-recommended path for migration away from the legacy client which is discontinued and thus no longer being developed / updated for Windows 8 etc.

As Richard noted in his reply, it is separately licensed so it is more than simply changing a few configuration bits (although that is the bulk of the work and can be done in a basic way as Karthik explained in his earlier reply). There are also many many other options and enhanced fucntions one has implement on an AnyConnect-based remote access VPN that were never available on the legacy VPN client.

nkarthikeyan Tue, 07/01/2014 - 23:08
User Badges:
  • Gold, 750 points or more

Hi Kevin,


Adding to the marvin's points... I prefer to keep present ipsec ra VPN and additionally you can configure cisco anyconnect ra vpn on to your asa..... do all the tests.... then you can  removed the old ipsec ra vpn from the appliance....

the best method is if you add the required packages on the asa appliance.... if the end users authenticates with the new ssl vpn.... they will get auto downloaded with the anyconnect vpn client to their machine and getting that installed for them..... from there they can access the internal resources as defined in your policies....


You can defined the latest versions of client packages from the cisco site for win 7/8, linux , mac etc....


Make sure that you have the required anyconnect license to support your requirement....


For example:


ASA-SSLVPN# conf t

ASA-SSLVPN(config)# web

ASA-SSLVPN(config)# webvpn

ASA-SSLVPN(config-webvpn)# port 443

ASA-SSLVPN(config-webvpn)# enable outside

ASA-SSLVPN(config-webvpn)# tunnel-group

ASA-SSLVPN(config-webvpn)# tunnel-group-list enable

ASA-SSLVPN(config-webvpn)# anyconnect image flash:/anyconnect-win-2.5.2019-k9.pkg

ASA-SSLVPN(config-webvpn)# anyconnect enable

ASA-SSLVPN(config-webvpn)# exit



Define an access-list for our split tunnel configuration:


ASA-SSLVPN(config)# access-list SPLIT_TUNNEL permit

ASA-SSLVPN(config)# sho access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list SPLIT_TUNNEL; 1 elements; name hash: 0x63aa8f22

access-list SPLIT_TUNNEL line 1 standard permit (hitcnt=0) 0xde939712



Create our group policy for our ssl vpn:


ASA-SSLVPN(config)# group-poli

ASA-SSLVPN(config)# group-policy SSLVPN_ASA internal

ASA-SSLVPN(config)# group-policy SSLVPN_ASA attributes

ASA-SSLVPN(config-group-policy)# split-tunnel-policy tunnelspecified

ASA-SSLVPN(config-group-policy)# split-tunnel-network-list value SPLIT_TUNNEL

ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ?


group-policy mode commands/options:

  ikev1           IKE version 1

  ikev2           IKE version 2

  l2tp-ipsec      L2TP using IPSec for security

  ssl-client      SSL VPN Client

  ssl-clientless  SSL Clientless VPN

ASA-SSLVPN(config-group-policy)# vpn-tunnel-protocol ssl-client

ASA-SSLVPN(config-group-policy)# webvpn

ASA-SSLVPN(config-group-webvpn)# anyconnect ssl ?


config-group-webvpn mode commands/options:

  compression    Configure compression for AnyConnect with SSL

  df-bit-ignore  Configure DF-Bit Ignore for AnyConnect with SSL

  dtls           Configure DTLS for AnyConnect with SSL

  keepalive      Configure the keepalive for AnyConnect with SSL

  rekey          Configure rekey for AnyConnect with SSL

ASA-SSLVPN(config-group-webvpn)# anyconnect ssl dtls enable

ASA-SSLVPN(config-group-webvpn)# anyconnect ssl keepalive 15

ASA-SSLVPN(config-group-webvpn)# anyconnect ssl compression de

ASA-SSLVPN(config-group-webvpn)# anyconnect ssl compression deflate

ASA-SSLVPN(config-group-webvpn)# anyconnect keep-installer inst

ASA-SSLVPN(config-group-webvpn)# anyconnect keep-installer installed

ASA-SSLVPN(config-group-webvpn)# anyconnect ask enable

ASA-SSLVPN(config-group-webvpn)# exit

ASA-SSLVPN(config-group-policy)# exit



We need to create an address pool to be assigned to our vpn users:


ASA-SSLVPN(config)# ip local pool

ASA-SSLVPN(config)# ip local pool SSLVPN_POOL


Now we create a tunnel-group and assign the group-policy:


ASA-SSLVPN(config)# tunnel-group SSLVPN  type remote-access

ASA-SSLVPN(config)# tunnel-group SSLVPN  general-attributes

ASA-SSLVPN(config-tunnel-general)# default-group-policy SSLVPN_ASA

ASA-SSLVPN(config-tunnel-general)# address-pool SSLVPN_POOL

ASA-SSLVPN(config-tunnel-general)# exit

ASA-SSLVPN(config)# tunnel-group SSLVPN webvpn-attributes

ASA-SSLVPN(config-tunnel-webvpn)# group-alias SSLVPN_GNS3

ASA-SSLVPN(config-tunnel-webvpn)# authentication aaa

ASA-SSLVPN(config-tunnel-webvpn)# exit



We will create a new username to test our sslvpn:


ASA-SSLVPN(config)# username sslvpnuser password cisco

ASA-SSLVPN(config)# username sslvpnuser attributes

ASA-SSLVPN(config-username)# group-lock value SSLVPN

ASA-SSLVPN(config-username)# exit





This Discussion