Understanding ASA AnyConnect Webdeploy

In this post I want to cover the components & general understanding of how the ASA AnyConnect (AC) Webdeploy process works.

First, it is important to understand that the AnyConnect client on an end node has the following applications & that these components make the whole process work:

  • vpnui.exe = simply the AnyConnect user interface

  • vpnagent.exe = the agent service in charge of activating the virtual adapter

  • vpndownloader.exe = responsible for taking care of any changes and new deployments received from the ASA

Note that the vpndownloader appears every time a connection is established with the VPN ASA which determines if there are any changes in the profiles, group policy, etc. Once changes are done or there are no changes, the vpndownloader exits.

End users have the ability to watch the process & see everything occurring via the vpnui.exe (AC GUI). The vpndownloader will contact the ASA to check for product & profile updates. Once the entire process is completed the end user will see the following via the AC UI:

I will cover debugging event viewer logs later in the post so that we understand the process better and how the executables interact with each other.

Regarding product updates, if the version on the client is higher or equal to the one of the ASA, product updates are skipped and unnecessary. For further debugging, in DART logs you will see the following:

'AnyConnect update skipped because the version is up-to-date'

However, during the initial connection attempt to the ASA if the client version is lesser than the one configured in first position for the respective operating system on the ASA WebVPN global config then the AC GUI will depict that a new version is found and will download it from the ASA.

Here is an example of WebVPN global config from ASA:

# show run | i anyconnect

anyconnect image disk0:/anyconnect-win-4.9.05042-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-win-4.9.03049-webdeploy-k9.pkg 2
anyconnect enable

In the example config above any Windows AnyConnect client running 4.9.03049 will be forced to upgrade upon next VPN connection attempt.

Once the downloads from the ASA are complete, the update will start locally on the client. Once started the AC GUI will close to update the AnyConnect and modules associated to them. To further clarify, the vpndownloader retrieves all necessary information from the ASA webdeploy .pkg file and installs the configured modules.

After the upgrade is complete the end user is able to initiate VPN connectivity to the ASA and connect to the VPN using the upgraded client.

Lastly, you have the ability to view the process via Event Viewer on a Windows client. In relation to this post about AnyConnect & ASA webdeploy upgrades here are some important logs that aide in understanding the connection attempt, update check, & communication between the different components:

  1. The AnyConnect Downloader is performing update checks... --vpnui.exe

  2. Checking for profile updates... --vpndownloader.exe

  3. Message type information sent to the user:

  4. Checking for profile updates... --vpnui.exe

  5. Checking for product updates... --vpndownloader.exe

  6. Message type information sent to the user:

  7. Checking for product updates... --vpnui.exe

  8. *If running up-to-date version: Skipping update of AnyConnect Secure Mobility Client 4.10.00093 because an up-to-date version is already installed. --vpndownloader.exe

  9. Then the vpndownloader will show additional logs stating that it is checking for customization updates. Once done you will eventually see:

  10. The AnyConnect Downloader updates have been completed. --vpndownloader.exe

  11. Sending progress to UI: The AnyConnect Downloader updates have been completed.

  12. Message type information sent to the user:

  13. The AnyConnect Downloader updates have been completed. --vpnui.exe

  14. Message type information sent to the user:

  15. Establishing VPN session... --vpnui.exe

  16. Message type information sent to the user:

  17. Establishing VPN - Activating VPN adapter... --vpnui.exe

  18. Message type information sent to the user:

  19. Establishing VPN - Configuring system... --vpnui.exe

  20. The VPN connection has been established and can now pass data. -- vpnagent.exe

  21. Lastly, the user will see the VPN state via the AC UI as Connected.

  22. AC UI:

  1. Event logs look like this once you reach this state:

VPN state: Connected
Network state: Network Accessible
Network control state: Network Access: Restricted
Network type: Undefined

That about wraps this post up. I hope you now have a better understanding of how ASA AnyConnect Webdeploy works from a component perspective. Cheers!


Recent Posts

See All

In the post I want to cover understanding IKEv1 status messages & debugging IKEv1 main mode. It is important as each message has its own unique meaning, and these messages are typically seen when att

"The What?" - In this post I will cover configuring & verifying a basic site-to-site VPN tunnel between two Cisco ASAs using IKEv1 with pre-shared keys (PSK). These types of VPNs are also known as L2