The best way we figured out how to remedy this was to create URL aliases for your Remote Access vpn profiles. We've worked out a pretty seamless process where we create a new alias, then change the url alias for our vpn profiles once a year by changing the Anyconnect Client Profile xml file that the clients download. We leave the old alias in place for a week or two, and then delete it. We're changing the URL just to make sure old employees or vendors aren't able to try to get in if they don't have the URL, so it works pretty good. 

We had the same problem as you and it was taking a lot of manpower to stay ahead of password sprays, so this was the next best thing since we didn't want to put another firewall in line. 

Edit: Also, we changed the RA port from 443 to a new one. So our alias looks something like https://remoteaccess.somedomain.com:5593/random30CharacterString
Once that url is in the xml file and users authenticate once, the client will point to the new url for all subsequent connections. 

Remember though, Shunning isn't necessarily a permanent block. Do a bit of reading on shunning first before you decide to do an upgrade from the recommended ftd version.

We're not supposed to talk about fight club, but I might be able to confirm geo fencing for VPN access in 7.7 is cool. I might also be able to confirm that this version is hypothetically legit in a number of other areas.

Hello,

Do you know a bit more in detail how Geo Fencing will work in 7.7?

If we have a single Public IP (single FQDN) with 3 x Group Policies (UserGroup), let say for Admin, Users, Partners.

Is it possible to apply Geo Fencing to a specific UserGroup?

Thank you!

The 7.7+ feature uses a "service access object". Those can include networks and geolocations. (They are the same geolocation selection types you can apply to an ACP rule today.) The service access object is then applied per connection profile (aka tunnel-group).  They are NOT applied per group policy.

So depending on how you have chosen to implement your group policies, you may or may nor be able to use differentiated service access objects. Some organizations associate group policies with unique tunnel groups. In that case - yes, you can have unique geolocation policies. Others use a single connection profile and dynamically assign group policy via RADIUS. That would use only one common geolocation policy.

Thank you @Marvin Rhoads, those details are much appreciated.
Your saying makes sense, I have no further question marks and I can plan a target VPN design accordingly.
Thanks again!

@sameertsm prior to version 7.7 you could only use IP addresses in a control plane ACL - NOT Geolocations.

Control Plane ACL configuration is covered in detail here: https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

Cheers Marvin, we've been looking into flex config already but it seems a bit cumbersome as you have to find and add IPs compared to how easy its on other platforms. But as you have pointed out, its the only option until we are on 7.7. 

@Chess Norris you will not see it in Unified Events - that's currently by design. I did suggest during beta testing that Cisco add it there but it did not get integrated into the release software.

You can see it in the FMC GUI under Devices > Troubleshoot > Troubleshooting Logs.