cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3675
Views
10
Helpful
7
Replies

ASA-X migration to FTD with Anyconnect SSL

tonypearce1
Level 3
Level 3

I attended a webinar a couple of weeks ago surrounding FTD migration. How do I migrate my Anyconnect SSL licenses over to FTD? I'm unable to find out any information about it. I have an ASA 5515-X with 50 SSL licenses which give clientless web VPN as well as Anyconnect SSL client VPN. 

The reason for the migration is this bug which was raised for me regarding SSL decryption and malware inspection not working on ASA Firepower: CSCvm32267 
The bug is not there in FTD. For me to move to FTD I need to allow my users to SSL VPN. Happy to lose webvpn and have Anyconnect VPN only. The 50 SSL licenses for the ASA-X are not cheap. I raised a case with licensing team and they said I need to throw away and discard the SSL license I have and purchase new SSL FTD licenses. I'm sure they are incorrect but I am unable to find the correct path forward. 

 

Any help appreciated!

 

Edit: updated title to try and attract some help.

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

If they are Anyconnect 4.x licenses you can request they be converted to Smart License entitlements. This use case is covered in the Anyconnect Licensing FAQ here:

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc56

 

If they are old AnyConnect 3.x licenses then they cannot be converted. You need to purchase new licenses.

 

 

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

If they are Anyconnect 4.x licenses you can request they be converted to Smart License entitlements. This use case is covered in the Anyconnect Licensing FAQ here:

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc56

 

If they are old AnyConnect 3.x licenses then they cannot be converted. You need to purchase new licenses.

 

 

Thanks. I saw that text in your link already but it doesn't explain it as well as you just have.
I do indeed have anyconnect 3.x licenses. 
I'm waiting for our AM to get back to me but I fear as though I'll be aborting the migration, which is a shame because I've already worked on some of the policies and think it's fantastic. I can't justify the $15,000 to $20,000 (AUD) cost which is in essence to resolve the ASA Firepower bug noted. Although I did hear back from tac on the bug today and they advise that the priority is high (so wont be dumped at the bottom of a queue). I may need to find some patience instead, on this one :)

 

I have an ASA5506 at our remote site that has this same bug. In that site I do not have any anyconnect licenses. So I may migrate that unit over to FTD. 

Thanks for your help.

Understood. Unfortunately you missed the promotion Cisco had a couple of years back when they were offering free AnyConnect Essentials to Plus (and Premium to Apex) license conversions.

 

Personally I prefer and recommend AMP for Endpoints as the first choice for anti-malware (and Umbrella for URL Filtering).

 

SSL decryption en masse is a dead end going forward with the advent of TLS 1.3 and other techniques like certificate pinning that effectively render it useless. The only use case I advocate it for is inbound SSL where you have the server(s) certificate(s) and private keys so that you can effectively decrypt and inspect the traffic without any trickery required on the client side to permit an unexpected certificate to terminate your connection.

Thanks for the info RE the promotion. I didn't even know about that, but I dont think it would have been useful for me back then as it's only been recently that the features needed in the ASA are present in the FTD. 

 

I have AMP for endpoints on our endpoints - very very useful for us and getting better all of the time. 

 

Outbound inspection / signing is on my list of tasks to do :) Although I did try this already using existing knowledge and although the server was accessible, the browser was giving a cert warning. Do you know if this will work with wildcard certs? And do you have a link to a guide handy?

 

 

Kind regards,

Tony

The promotion was pre-FTD to encourage customers to move off of AnyConnect 3.x. Once you have 4.x it can be used on multiple ASAs or, with Smart Entitlement, on FTD both. You are licensed for the number of unique users, not per headend device.

 

A couple of people have posted lab guides on SSL decryption. See labminutes.com and network-node.com.

 

The certificate needs to be a special type issued from an internal CA and it has to be trusted by your clients. Basically more or less like a subordinate CA certificate. A wildcard isn't useful in that case.

Yes I have the outbound access working that way which is utilising my ca
cert. But do you have a guide for the reverse that you mentioned before? I
have a cert from a public authority but the root and immediate cert are not
under my control and are from the public authority. Previous when I thought
about it I took it that it could not be done through firepower. Really it
would be more like a proxy rather than decryption and resigning.

To decrypt incoming traffic for a specific server add the rule to your SSL Policy that's associated with your Access Control Policy.

 

First import the certificate-key pair (PKCS12 format) into your PKI External Certificate objects.

 

Make the rule from outside to your destination server. Make the Action to be "Decrypt -  Known Key" and choose the server certificate-key pair you added as a PKI External Certificate object earlier.

 

Save and deploy.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: