I've already experienced that

giuseppe parlato · ‎03-16-2014

How can I make anyconnect downloadable from ASA ? do I have to enable clientless ssl vpn in the group policy ?

Thank you

Karsten Iwen · ‎03-16-2014

Just load a new image to the ASA (under Configuration -> Remote-Access VPN -> Network (Client) Access -> AnyConnect Client Software) and the client will load the new software the next time when the client connects. Of course the client shouldn't have a setting applied to not download new software. The group-policy doesn't need any specific settings for that and you also don't need to enable clientless for that.

Marvin Rhoads · ‎03-16-2014

+ 5 what Karsten said.

For more help, tell us what kind of remote access VPN you have setup or want to setup. Beyond the AnyConnect client software, certain features require different configuration steps and/or licensing on the ASA.

giuseppe parlato · ‎03-16-2014

Anyconnect for windows, actually anyconnect ssl vpn works if I install anyconnect client (which I downloaded from cisco site) locally on my pc but I'd like to make it possible to download and install it from cisco asa. On my browser pointing to https://myvpnoutsideaddress.com I do not see anyconnect connection tunnel group on which I should be able to authenticate and then eventually download the client.

ps. I also have some clientless web ssl vpn

Marvin Rhoads · ‎03-16-2014

Can you share your ASA configuration? There are several things necessary, to wit:

Your connection profile (tunnel-group in the cli vernacular) would need to have the webvpn setup correctly, aliases for the profiles defined, AnyConnect .pkg file defined (and present on the ASA), etc.

giuseppe parlato · ‎03-16-2014

Quite difficult to share the whole conf,

here is the anyconnect one,

VPN/pri/act# sh run tunnel-group Gr_VPN_Sales
tunnel-group Gr_VPN_Sales type remote-access
tunnel-group Gr_VPN_Sales general-attributes
address-pool Gr_VPN_Sales-Pool
authentication-server-group LDAP-SIC
default-group-policy Gr_VPN_Sales-GroupPolicy
tunnel-group Gr_VPN_Sales webvpn-attributes
group-alias Sales-SDO enable

VPN/pri/act# sh run group-policy Gr_VPN_Sales-GroupPolicy
group-policy Gr_VPN_Sales-GroupPolicy internal
group-policy Gr_VPN_Sales-GroupPolicy attributes
wins-server value 10.22.42.104 10.22.42.105
dns-server value 10.22.42.104 10.22.42.105
vpn-filter value Gr_VPN_Sales-ACL
vpn-tunnel-protocol ssl-client
group-lock value Gr_VPN_Sales
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Gr_VPN_Sales-Split
default-domain value Sales.rve

VPN/pri/act# sh run webvpn
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable

Karsten Iwen · ‎03-16-2014

That is the relevant part of the config:

webvpn

anyconnect image disk0:/anyconnect-win-3.1.02040-k9.pkg 1

If you load a new image through the mentioned way, then that image will get placed here and the next time your users connect they will be upgraded.

giuseppe parlato · ‎03-17-2014

I've already experienced that the upgrade works but actually my issue is I cant download it (supposing I have no anyconnect installed)

Marvin Rhoads · ‎03-17-2014

What behavior do you observer when trying to downlaod to a client PC with no AnyConnect currently installed?

You don't have any DAP checks that might be looking for something client-side like a certificate or registry key?

giuseppe parlato · ‎03-16-2014

is this necessary even though there is no clientless ssl vpn portal page for this tunnel-group ?

group-policy Gr_VPN_Sales-GroupPolicy attributes
webvpn
anyconnect ask none default anyconnect

giuseppe parlato · ‎03-16-2014

Do I have to create a client profile ?

anyconnect download from ASA