"Anyconnect client profile" option missing in ASDM

Similar Messages

• AnyConnect Client Profile in ASDM

  I am trying to configure a client profile under the AnyConnect Client Profile tab in the ASDM but keep getting an error message stating "Check that you have a proper AnyConnect package installed in the AnyConnect Client Software menu.  Also check that your ASDM username have enough privelege."
  My user has sufficient privilege but I am not sure which AnyConnect software I should have to enable this.  Righ now I have
  anyconnect-win-3.0.10055-k9.pkg installed.
  This is a lab setup using GNS3.
  Any ideas?

  Hi Marius,
  I would assume you are running ASA 8.0x, right?
  Please check this out:
  "If you wish to use the ASDM-integrated Profile Editor to configure any of AnyConnect's components, you must use ASDM version 6.4(1) or later."
  Security Appliance Software Requirements
  So at this point, I would suggest to try to upgrade your ASDM to 6.4 or try with AnyConnect 2.5.
  Let me know.
  Thanks.
  Portu
  Please rate any posts you find helpful.

• ASDM Anyconnect client profile - unable to edit preferences

  Hi,
  I have a functioning vpn set up, my problem is that I'm trying to set up anyconnect start before login. I navigate to the anyconnect client profile section in the remote access vpn and create a profile xml file by clicking the add button. I can add a profile but as soon as I save the file I can no longer edit it. The edit button is greyed out and if I double click the file the asdm returns the error: "Input is not a well-formed, schema-compliant XML file."
  I'm running the following versions of software:
  asdm: 7.1(5)100
  anyconnect: 3.1.05152
  asa: 8.2(3) <----asa hardware doesn't support running a newer version.
  I have not been able to find any info on this particular problem but maybe someone here can help?

  Hello Ryan,
  Do you run into the same problem if you upload AnyConnect 2.5 and perform the same task?
  Also, have you tried this operation from a different machine with and old JAVA version like 1.6?
  HTH.

• AnyConnect Client Profile Backup Server Configuration

  I'm trying to understand the use of Backup Server option in AnyConnect Client Profile
  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server
  (Screenshot attached)
  My questions:
  1. In what all scenarios do we add servers (ASA devices) in this tab
  2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.
  3. Or is it only used to mention ASA devices configured in failover unit
  4. In case of failover unit, does it support stateful failover
  I could not find answers to above questions from Google search. So, asking here

  I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios
  1) ASAs at two different sites
  2) ASAs configured as a High Availability failover pair (Active/Standby).
  The profile does work to provide failover in 1) but does not work to provide failover in 2).
  I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover. 
  If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.
  HTH
  Rick

• Assigning AnyConnect Client Profiles based on the machine?

  I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.
  If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.
  If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.
  What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.
  It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.
  If at all possible, I do not users to have to pick a conenction profile or use different URL's.
  Is there anyway to accomplish this?

  Hi
  Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.
  Has anyone got any idea how I could do this?
  thanks
  Steve

• Anyconnect Client profile files deleted after client upgrade

  L.S.
  I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
  The ASA I am connecting to is a 5510 running ASA OS 8.4.5
  The problem I have is the following:
  We are using machine certificate authentication combined with RADIUS user authentication.
  The machine certificates are stored in the Machine/Personal container in the local machine.
  By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
  We do not want to have the user run the client as administrator (in elevated mode) all the time.
  Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
  With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
  the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
  The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
  The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
  The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
  The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
  The VPN is established.
  However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
  This means the user cannot connect without using elevated rights the next time he wants to connect.
  If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
  Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

  Hi poiu720408 ,
  1.  You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration.  So once the user connect to the proper URL/alias the profile will be applied. 
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
  3. This behavior is totally expected and they should disappear  after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
  Please rate helpful post !
  Hope this helps
  - Randy -

• ADSM AnyConnect Client Profile Editor will not close...

  When I fire up ADSM and go into the AnyConnect Client Profile Editor It will not let me close the Editor.
  If I go it and jsut hit cancel, or OK, or the X, nothing happens.   The only way to exit is to Close down Java.
  I've run ADSM on a few machines all with the same results.
  ADSM Version 6.3(4)
  Thanks

  I Upgraded to ADSM 7.1(2)
  This resolved my issue.

• User Profiles option missing from SharePoint Designer 2013 workflows

  I noticed the User Profiles is missing as a Data Source option in the SharePoint Designer 2013 workflow platform (see image); whereas, it exists in the SharePoint 2010 workflow platform. Is there a way to connect this feature in SharePoint 2013 workflows
  by registering it or configuring through Workflow Manager? If not, what is the new approach in SP 2013 to call User Profiles services?

  Hi,
  Based on your description, you want to use user profile in SharePoint 2013 workflow.
  In SharePoint 2013 workflow user profiles is missing, if you have to use the user profile, you can create a SharePoint 2010 workflow, and use Start a List workflow action in 2013 workflow to start the 2010 workflow.
  The article below is about How to start a SharePoint 2010 Workflow within a SharePoint 2013 Workflow Using SharePoint Designer 2013
  http://www.c-sharpcorner.com/UploadFile/anavijai/how-to-start-a-sharepoint-2010-workflow-within-a-sharepoint/
  And in SharePoint 2013 there is an approach to user profile, you can add the action call http web service to get the information of user profile.  
  The article below is about how to use call http web service in SharePoint 2013 workflow.
  https://msdn.microsoft.com/en-us/library/office/dn567558.aspx
   Best regards
  Sara Fan
  TechNet Community Support

• AnyConnect - Client profile

  Hi all
  I have a very quick question, been trying to find a solution but fail till now. The issue, is there is a default time for AcyConnect client profile to be downloaded/updated when you create a new client profile
  Example: if I have already a client profile (XML), then if I create a new Client profile. When the user connects, it should be using the new client profile correct. But this was not the case. The user was using the old client profile. However the new profile was updated on the client side after 8hrs.
  Ok as a workaround you could delete the xml file from the client PC, however my question is,is there is an option to enable this to be downloaded after creating the profile. I have checked everywhere with the client profile and was not be able to find any setting. If someone knows could you kindly share this please?
  Thanks in advance
  Lancellot

  Hi Lancellot
  as soon as you modify the profile on the ASA (or create a new one), all clients will download this profile as soon as they connect.
  Two things to note though:
  1. the new profile is only downloaded if the user logs in successfuly. So once the tunnel is established, you should see the new profile in the local profiles directory.
  2. Many settings in the profile are applicable *before* the new profile is downloaded, i.e. some are applied only before a connection is initiated (e.g. start before logon), others only during the connection attempt( e.g. automatic certificate selection).
  Similarly, if you add new ServerList entries to the profile then they will only be visible in the client GUI after the client downloads the new profile and disconnects.
  Does this clarify the behavior you saw?
  Herbert

• Profile option missing from Settings General

  I have an iPod Touch 4th Gen.  I just notice that "Profile" option under Settings > General is missing.  How do I add this?

  I had this problem too.I know it says the problem had been solved,but it didn't help me in any way with my problem.For the people who really look for this problem i have the answer.
  THERE IS NO PROFILE.THE ENROLLMENT IS JUST A COOKIE!!!!!!!!!
  The profile is deleted by it's self ,is just another way to add a cookie ,for the website or app to recognize your device.
  So don't search for anything.If you want to delete it go to Safari>Clear Cookies.

• Locking down anyconnect client profile

  I was wondering if there is a way to lock down the anyconnect profile on a clients machine.  Basically we are using certifcates to authenticate so the client can make a VPN connection.  We have enabled the certifcate match function to check for IPSec User Extended Match Key.  I can modify the XML on the client PC to bypass the check and authenticate.  We would like to keep users from doing that.  Is there something I can setup on the ASA versus the client to check the certificate or prevent the XML from being modified?
  Thanks in advance.

  I went in and modified the xml and removed the following.  I was then able to make a connection without checking for the IPSecUser extended key usage.  I have 2 certs on my client.  One cert has the IPSecUser extended key usage and the other does not.
      IPSecUser

• AnyConnect Client profile: group-url in server-list with OGS doesn't work propertly

  Cisco Adaptive Security Appliance Software Version 8.4(4)1
  Device Manager Version 7.0(2)
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  #show webvpn anyconnect
  1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
     CISCO STC win2k+
     3,1,00495
     Hostscan Version 3.1.00495
  Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly:
  When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')

  Anton,
  It MIGHT be cosmetic:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz92140
  If not please open up a TAC case and provide DART for such a connection.
  M.

• Associate anyconnect client software with specific profile?

  Hi folks,
  I want to beta test a new release of the Windows AnyConnect client software with a small number of users.  We use the web deployment feature.  Is there a way for us to associate a specific version of the client software with a profile?  This seems like the easiest way to release the new software to a small group of people.
  Thanks
  Pat            

  The only "AutoUpdate" Value in my profile for 3.x is: true
  I think if you put the new AC image in flash it's and point to it in the configuration, it's going to update all the clients - not just a specified tunnel or group.  I am not 100% on this though.
  Is manually installing it in your test environment an option?  This is what what we did then exported profile from the firewall and placed it in the directory for the test client.

• Camera Profile options suddenly missing in Lightroom...

  Okay... so I noticed yesterday that (for some reason) my camera calibration profile options have disappeared, and my only option is "Adobe Standard". I used to have all the others (camera standard, camera standard 2, adobe standard 2, ACR, etc), but they have vanished.
  I'm running Windows 7 32bit.
  I thought maybe it was just Lightroom 3.5, so I un-installed and re-installed... no luck.
  I un-installed 3.5 and re-installed 3.4.1.. no luck.
  The camera profiles are in the proper directory (based on other forum posts I've found)... no luck.
  I've tried removing the camera profiles from the directory and re-installing... no luck.
  Not sure where they went, or what happened, or how I can get them back. Colors just aren't the same without them
  Any ideas? I searched for hours on different forums and support sites, with no avail... Am I missing something? Is there another software besides Lightroom that needs to be installed? I'm out of ideas.
  Cheers.

  The list of profiles displayed is dependent on the camera used to shoot the image. Typically, cameras from Nikon, Canon and some Pentax will have a range of profiles whereas others vendors (e.g. Sony, Panasonic and Olympus) will only have Adobe Standard. I suggest that you check which camera model is showing fewer profiles than you expect and report back. Someone will then be able to tell you whether it's got a a full or limited range of profiles.

• ISE Profiling options for VPN clients

  I'm trying to mull over what profiling options are available for VPN users.  I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access.  The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements.  I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can.  Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria.  So the net effect is these devices are stuck in the "unknown" posture state and have very limited access.  Any way around this catch-22?  Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

  Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).
  I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.
  I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.
  Sent from Cisco Technical Support Android App