Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
0
Helpful
1
Replies

ASA webdeploy AnyConnect 5.x linux image issue changing versions

Go to solution
Ethan Grinnell
Level 1
Level 1

‎12-01-2023 03:05 PM - edited ‎12-01-2023 03:06 PM

I've noticed that as of Secure Client (AnyConnect) 5.x I get an error at the ASA CLI and ASDM when I try to change the Linux web-deployed AnyConnect client version. I have no issues with Windows or macOS AnyConnect clients. I've confirmed on ASA5585-X, ASA5525-X and a brand new ASAv. I've tried a few different ASA versions, but mostly 9.12.x train. When I try to change the AnyConnect Linux image it complains "WARNING: Unable to install imageWARNING: Unable to remove image". The image is actually removed from configuration per the CLI, but it remains in the cache:/stc/<index>/ directory. I can no longer install any image at that index. The old image remains at that index until the ASA is reloaded.

Has anyone else seen this?

 

 

I've found a few workarounds:

  • Install the new image at a different index.
  • Remove and reapply all webvpn configuration.

I searched for relevant bugs, the closest I found were these 2, but neither really applies. I only see issue with the Linux image and the ASA isn't short on memory:

Here's an example from a brand new ASAv OVA. I downloaded the ova from Cisco, added IPs, configured it for SSH, copied in AnyConnect pkgs and performed these tests. I'm upgrading AnyConnect from 5.0.04032 to 5.0.05040 here, but the version numbers don't matter. All AnyConnect 5.0 and 5.1 versions seem to be affected. I didn't see this in 4.9 and earlier versions.

 

 

 

 

ASAv1(config)# show run webvpn
ASAv1(config)# no webvpn
ASAv1(config)# dir cache:/stc/
                   ^
ERROR: % Invalid input detected at '^' marker.
ASAv1(config)# webvpn
ASAv1(config-webvpn)# anyconnect image flash:/cisco-secure-client-linux64-5.0.04032-webdeploy-k9.pkg
ASAv1(config-webvpn)# show run webvpn                                                               
webvpn
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 http-headers
  x-content-type-options
  x-xss-protection
  content-security-policy
 anyconnect image disk0:/cisco-secure-client-linux64-5.0.04032-webdeploy-k9.pkg 1
 cache
  disable
 error-recovery disable
ASAv1(config-webvpn)# 
ASAv1(config-webvpn)# anyconnect image flash:/cisco-secure-client-linux64-5.0.05040-webdeploy-k9.pkg
ASAv1(config-webvpn)# ove imageWARNING: Unable to install imageWARNING: Unable to remove image
ASAv1(config-webvpn)# dir cache:/stc/                                                               

Directory of cache:/stc/

0      drwx  0            19:46:18 Nov 21 2023  1

0 file(s) total size: 0 bytes
No space information available

ASAv1(config-webvpn)# show run webvpn
ASAv1(config-webvpn)#

 

 

 

 

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ethan Grinnell
Level 1
Level 1

‎04-24-2024 04:36 PM

The issue is fixed in 9.12(4)65 and newer releases in other trains. Looks like it was actually CSCwa82736

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ethan Grinnell
Level 1
Level 1

‎04-24-2024 04:36 PM

The issue is fixed in 9.12(4)65 and newer releases in other trains. Looks like it was actually CSCwa82736

0 Helpful
Customers Also Viewed These Support Documents