Upgrade from an earlier version of Anyconnect to version 4.x can be driven by several factors. It can be compliance in order to enable support for SSL version 1.2; or it can be assistance with the deployment of Cisco Umbrella Roaming service that protects devices anywhere against malware, phishing, and cnc; or it can be endpoint posture assessment and remediation service that validates the status of various antivirus, personal firewall, and antispyware products.
Cisco Anyconnect: 3.x/4.x
In order to begin the upgrade process, proper Anyconnect 4.x license key needs to be loaded. Licensing options are either term or permanent and are based on the number of users (not endpoints) meaning the same user can connect from multiple devices and will consume single license. Only one Product Authorization Key (PAK) is needed per fail-over pair.
Activation message reads that Anyconnect Essentials activation key will not be available. It turns out message is a bit misleading because the feature is still enabled as we can see below with show version command.
Next step is to reload Primary and Standby ASA (if applicable).
Next, copy Anyconnect 4.x package files to primary and standby ASA and set Client Images order under Configuration > Network (Client) Access > Anyconnect Client Software.
That’s it. Connect from Anyconnect 3.x client and upgrade will launch automatically.
After the upgrade completes Anyconnect will reconnect automatically.
Anyconnect 4.x is backwards compatible with 3.x so there will be no issues connecting to ASA with Anyconnect 3.x version enabled.
If you do the upgrade you should also address vulnerabilities related to SSL version 1.0 such as POODLE. To do that you need to change SSL version from 1.0 to 1.2. On the same page bump DH modulus to 2048 to fix SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) issue. This is done under Configuration > Advanced > SSL Settings.
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl dh-group group24
Changing to version 1.2 will brake upgrade process. As a workaround, Anyconnect 3.x users will need to uninstall the client and do web install of 4.x from Clientless SSL VPN portal.