Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32006
Views
17
Helpful
10
Replies

AnyConnect profile not updating correctly

Go to solution
Jens Galsgaard
Level 1
Level 1

‎10-06-2014 04:41 AM - edited ‎02-21-2020 07:51 PM

Hello,

 

I see strange behaviour on an ASA5525-X running 9.1.5-12 and AnyConnect running 3.1.05182.

 

Whenever I edit the connection profile, it is only ever updates the local XML file when logging in via the web portal of the ASA.

Nothing happens to the XML file when logging in with the AnyConnect client (twice).

 

Is that default behaviour or am I missing a setting somewhere?

 

Kind regards,

Jens

2 people had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jens Galsgaard

‎10-07-2014 04:46 AM

It could be a malformed profile or corrupted client. A close look at your setup might help but it might also require examination of a diagnostic dump (DART file from AnyConnect). 

I've used the same ASA and AnyConnect versions as you're using and it worked OK.

If you have support I'd suggest opening a TAC case.

View solution in original post

0 Helpful

Go to solution
bravotom99
Level 1
Level 1

‎10-07-2014 07:47 AM

I don't use the web portal but I have seen something similar with the client when I simply uploaded a new xml to the ASA and replaced the existing file.  I figured if I replaced the xml file with a new one with the same name, I should be good, right?  Nope.  I had to go into the gui, delete the profile entry (keep the xml), and then add a new entry again with the same name and point to the new xml.

View solution in original post

10 Replies 10

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-06-2014 10:05 AM

As long as you have enabled client services in the connection profile, profile updates on the ASA should be pushed to the client upon next login via AnyConnect.

0 Helpful

Go to solution
Jens Galsgaard
Level 1
Level 1
In response to Marvin Rhoads

‎10-06-2014 11:03 AM

I can't find client services in the profile editor or the xml, so I'm not sure what you mean.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jens Galsgaard

‎10-06-2014 12:59 PM

Sorry for the confusion - that keyword is only used on an IPsec IKEv2 remote access VPN.

For an SSL VPN, it should be controlled by the presence of the xml file under the webvpn configuration section.

When an AnyConnect client connects, the ASA should be comparing its version of the profile to the one stored locally on the client. If the ASA's is newer, it should automatically update the client.

0 Helpful

Go to solution
Jens Galsgaard
Level 1
Level 1
In response to Marvin Rhoads

‎10-06-2014 11:11 PM

I get that, but why is the local XML only updated when connecting via the web portal?

Shouldn't it be the same when connecting with the AnyConnect app?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jens Galsgaard

‎10-07-2014 04:34 AM

Yes, it should update when connecting directly using the AnyConnect Secure Mobility client VPN module. I've used several dozen ASA-based SSL VPNs and all the ones with ASA-based profiles worked that way.

0 Helpful

Go to solution
Jens Galsgaard
Level 1
Level 1
In response to Marvin Rhoads

‎10-07-2014 04:36 AM

Which leads me back to my initial question about what could cause this behaviour.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jens Galsgaard

‎10-07-2014 04:46 AM

It could be a malformed profile or corrupted client. A close look at your setup might help but it might also require examination of a diagnostic dump (DART file from AnyConnect). 

I've used the same ASA and AnyConnect versions as you're using and it worked OK.

If you have support I'd suggest opening a TAC case.

0 Helpful

Go to solution
Jens Galsgaard
Level 1
Level 1
In response to Marvin Rhoads

‎10-08-2014 01:20 AM

The profile had been changed in the unsupported fashion where an admin had just downloaded the file and uploaded again after making changes.

The profile now works as expected when only doing changes in ASDM - after recreating the reference.

Thanks again!

0 Helpful

Go to solution
bravotom99
Level 1
Level 1

‎10-07-2014 07:47 AM

I don't use the web portal but I have seen something similar with the client when I simply uploaded a new xml to the ASA and replaced the existing file.  I figured if I replaced the xml file with a new one with the same name, I should be good, right?  Nope.  I had to go into the gui, delete the profile entry (keep the xml), and then add a new entry again with the same name and point to the new xml.

Go to solution
jdfoxmicro
Level 1
Level 1
In response to bravotom99

‎01-24-2018 04:10 PM

Thank you, bravotom.  That was the fix for me.

 

conf t

no anyconnect profiles PROFILE-NAME disk0:/PROFILE.xml

anyconnect profiles PROFILE-NAME disk0:/PROFILE.xml

 

 

Customers Also Viewed These Support Documents