This document describes a problem that is encountered when the Cisco AnyConnect Secure Mobility Client does not upgrade properly after a Microsoft Windows system restore is completed. A solution to this problem is also described.
Cisco recommends that you have knowledge of these topics:
- Basic knowledge of the upgrade and deployment procedures for the Cisco AnyConnect Secure Mobility Client
- Basic knowledge of Microsoft Windows
The information in this document is based on these software and hardware versions:
- Cisco AnyConnect Secure Mobility Client Versions 3.x and 4.x
- Microsoft Windows® Version 7
- Cisco Adaptive Security Appliance (ASA) Versions 8.2 and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The AnyConnect Client fails to upgrade when:
- The Cisco ASA has AnyConnect Client Version X configured.
- The Microsoft Windows machine at some point in the recent past has had Version X or later installed.
- The system administrator completed a machine restore on Microsoft Windows to a point in time where the AnyConnect Client Version Y was installed, and Version Y is older than Version X.
In this situation, after the system restores and the next time that a user connects from the machine, the expected behavior is for the AnyConnect Client to upgrade itself because it runs an earlier version than that which is configured on the ASA; however, this does not occur.
When a VPN connection is initiated to a head-end, the AnyConnect Client does a comparison of the version that is currently installed on the machine and that which is configured on the ASA. In order to complete this comparison, it uses the information that is stored in the VPNManifestClient.xml file and/or the VPNManifest.dat file. If the version in the manifest file is earlier than the version that is stored on the head-end, and if the client profile is not configured in order to bypass the downloader, then the AnyConnect Client automatically initiates the process and upgrades itself.
In the previous scenario, before the system restore was completed, the manifest files indicated correctly that the AnyConnect Client ran Version X or later. However, after the system restore was completed, even though the AnyConnect Client version was downgraded, the manifest file was not modified. This occurs because the files are considered personal documents by Microsoft Windows and are not modified back to the old version. Instead, these files report the version that used to work prior to the system restore.
In order to resolve this problem, you must delete both of the files (VPNManifestClient.xml and VPNManifest.dat), which should trigger the software upgrade during the next connection attempt.