Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Force AnyConnect Profile update

A year ago I setup an ASA5515x to act as our VPN concentrator with 2 factor authentication using Device Certificates and User Credentials.

 

This worked well for the year until the certificate for the ASA expired. I issued a new certificate from our MS CA infrastructure but the AnyConnect clients wouldn't connect. It would immediately throw an invalid certificate error. I called and worked with TAC and they determined one of my VPN profiles was configured to attempt IPsec first. They changed this setting on the ASA and had me delete the stored AnyConnect profiles from the client. This solved the issue and new profiles were created.

They couldn't tell me why it ran perfectly fine for a year with that setting, but at least they got to the bottom of it. When I compared the difference between the two profiles I found the broken one had an entry of <PrimaryProtocol>IPSec</PrimaryProtocol>.

When I asked how I go about addressing my 100+ clients that are on the road, he told me they would need to delete those profiles. The problem is, our users are not administrators over their workstations so they don't have the permission to delete the profiles from “C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile" and since AnyConnect immediately refuses the connection, they're not able to connect to pull down the new profile.

 

Is there a way to force a profile update?

 

Denny

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

I agree with Dinesh and

I agree with Dinesh and Karthik that you can't push a profile via the ASA without being able to connect. The only option is manual update or some sort of push (via AD GPO, SCCM or such) once the clients are connected directly on the corporate network.

Have you considered just creating and enabling an IPsec profile? Then the clients with that profile could connect without issue.

8 REPLIES

Hi, I do not think so if you

Hi,

 

I do not think so if you have some option to push the profiles, because your clients will not be able to connect with the VPN itself...... I guess they have to do it manually....

 

Regards

Karthik

Cisco Employee

Hi Denny, Perhaps you can

Hi Denny,

 

Perhaps you can push the profile from your AD to all the users using GPO , the way you push company owned softwares and updates on the users' systems.
Another way , not scalable , is to ask the clients to change the Primary protocol as SSL manually under client profile.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.
 

New Member

Hello, Thank you for replying

Hello,

 

Thank you for replying. As mentioned, these laptops are primarily on the road, so they won't be able to pick up a GPO policy until they connect.

 

Is there a way to toggle to SSL from within the client? Editing the profile by hand requires admin rights to be able to modify the file.

 

Thank you,

 

Denny

Hall of Fame Super Silver

No - you can't modify the

No - you can't modify the transport protocol from the client directly. That is exclusively configured in the profile - which needs to either come from the ASA or be deployed / created manually.

Hall of Fame Super Silver

I agree with Dinesh and

I agree with Dinesh and Karthik that you can't push a profile via the ASA without being able to connect. The only option is manual update or some sort of push (via AD GPO, SCCM or such) once the clients are connected directly on the corporate network.

Have you considered just creating and enabling an IPsec profile? Then the clients with that profile could connect without issue.

New Member

Hi Marvin, Thank you for

Hi Marvin,

 

Thank you for responding. You may be on to something with enabling IPsec.

Rather than creating a new profile can I enable it on the existing profile but still leave SSL as the primary protocol under the server list entry in the Client Profile Editor? I have several connection profiles matching various items in their certificate to determine which group policy is applied.

 

I'm concerned if I have two profiles matching the same criteria it might cause some issues?


When I get into the office tomorrow I'll give it a whirl.

 

Denny

New Member

Hi Marvin, You were spot on

Hi Marvin,

 

You were spot on with your suggestion. I already had IPsec configured but it suddenly stopped working with the new certificate. I discovered I needed to associate ikev2 to the new Trustpoint.

 

I couldn't find where to do it in ASDM, so command line to the rescue.

 

Thank you,

 

Denny

Hall of Fame Super Silver

Excellent. I'm glad it worked

Excellent. I'm glad it worked for you.

Thanks for the rating.

1282
Views
0
Helpful
8
Replies
CreatePlease to create content