Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
290
Views
1
Helpful
3
Replies

Cisco FTD Listening on Port 443 on outside interface

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎09-03-2025 04:47 AM

We underwent a recent security penetration test, which revealed that the outside interface of our Cisco FTD firewall is listening on TCP port 443. According to the configuration, SSL (HTTPS) access on this interface has already been disabled. The FTD is configured with AnyConnect VPN using only IPsec (IKEv2), and not SSL VPN. However, both 'IPSEC IKEv2' and 'IPSEC IKEv2 client services' are enabled under IKEv2 settings (when we check from the CLI). We are not able to find an option to disable client services in FTD. We are also concerned about whether removing the 'client services' configuration would negatively impact their many existing site-to-site VPN tunnels, which are essential for business operations. The issue poses a compliance risk as flagged by the penetration test, but the business must avoid disruption to ongoing operations supported by these tunnels. Please help us to resolve this issue.
 
We have the below commands present in our FTD CLI. We cannot find a way to disable it from FMC. 
crypto ikev2 enable outside client-services port 443
 
Regards
Shabeeb
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-03-2025 06:07 AM

If you do not need to download client image and have different way to push to end client, then you can disable.

i dont remember steps on top of my head.

Navigate to VPN settings: Go to Devices > VPN > Remote Access.

Edit the IPSec crypto maps: Under the IPsec tab, find the Crypto Maps section and edit the policy.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-04-2025 07:59 AM - edited ‎09-04-2025 08:00 AM

Disabling client services will not affect site-to-site VPNs.

It will affect the ability to push profile and Secure Client updates as those rely on client services over SSL/TLS - even with a remote access VPN that otherwise uses IPsec IKEv2.

See my whitepaper here for more details: https://community.cisco.com/t5/security-knowledge-base/configuring-ipsec-ikev2-remote-access-vpn-with-cisco-secure/ta-p/4485165

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card