From the cli, run the following: show vpn-sessiondb filter <username> (substitute your username for the bracketed parameter). Look for the "tunnel-group" (aka connection profile). https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s14.html#pgfId-1333764 You can also see the similar information under ASDM > Monitor > VPN and choose remote access VPN clients from the dropdown. ... View more

There are data routes for the ASA and separate management-only routes for the management interface - i.e., two separate routing tables (as of ASA 9.5(1)). If you are using the management interface address make sure you have the latter route type setup correctly. https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#concept_40C0C8DE2C1247319250B9F7706C54A5 ... View more

It's not currently supported (as of Firepower 6.4.0.3) nor have I heard of plans to add such support. ... View more

I believe the output of the "show" command is in error. If we configure the settings as suggested: ssl server-version tlsv1.2 dtlsv1.2 ssl client-version tlsv1.2 ssl cipher tlsv1.2 custom "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256" ssl dh-group14 ...and then run nmap with the enum-ciphers (enumerate cryptographic cipher support of the target system https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html), we get Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-30 12:52 Malay Peninsula Standard Time Nmap scan report for 172.31.1.21 Host is up (0.00s latency). PORT STATE SERVICE VERSION 443/tcp open ssl/http Cisco ASA SSL VPN |_http-trane-info: Problem with XML parsing of /evox/about | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A | compressors: | NULL | cipher preference: server |_ least strength: A You can also confirm using openssl and attempting to force an sslv3 connection as follows: root@eve-ng:~# openssl s_client -connect 172.31.1.21:443 -ssl3 140475002840728:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1878: root@eve-ng:~# NOTE: Make sure all of your clients have current AnyConnect software (4.7 or later). Otherwise older versions may fail to establish a connection with the server (ASA) when you tighten things down too much: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz41966/?rfs=iqvred ... View more

You're welcome. The only reason I can think anyone would advise running remote access VPN on a separate ASA is if your particular use case had mandatory requirements for some of the few features that are not yet on FTD (clientless, using multiple AnyConnect modules, using Dynamic Access Policies are the big ones). Historically remote access VPN was not supported on Firepower Threat Defense but, since support was introduced about 2 years ago, the feature gap has narrowed quite a bit. ... View more

The ASA 5515-X went end of sales in 2017. https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-738644.html While the 5516-X's Atom C2000 may be in some respects theoretically less capable than the general purpose Intel Clarkdale (and is also susceptible to the dread clock signal bug that bricks the hardware), there are other factors such as having 8 cores vs. 4 and the Cavium Octeon III crypto accelerator in the ASA 5516-X vs. Cavium Nitrox in the ASA 5515-X that affect system performance. ... View more

The bug should have been fixed in ASDM 7.5 and 7.6. The current ASDM release is 7.12(2) and it works fine with the latest Java releases on multiple platforms (Windows, OS X and Linux). ... View more

Google Chrome may be using QUIC (udp/443) to transport Youtube. Try blocking Quic protocol in a rule above the one that blocks Youtube. It should fall back to SSL/TLS (tcp/443) and hit the expected rule and be blocked. ... View more

Good reference @zac ragoonath thanks. As noted in the latest VDB (currently #325), "Cisco Vulnerability Database (VDB) Update 325 supports 3,619 applications." When I create an ACP rule on a Firepower Management Center (version 6.4.0.3 with VDB 325), I see there are 3,527 applications that can be selected for use in the rule. I'm guessing a few can be detected but not used in ACP rules due to some characteristic intrinsic to their nature. As far as detection (vs. vulnerability detection and use in ACP rules), the method that @Ajay Saini mentioned works. There are currently 6850 application detectors in Firepower 6.4.0.3. ... View more

Firepower 2100 series published throughput is the same whether none or all NGIPS features are enabled due to the hardware architecture that's optimized for the software. Palo Alto Networks' appliances generally have one performance specification for no advanced features and then turning on the features (one or all) has a different number that's half the overall appliance throughput. PANW management and deployment time required for changes is generally better than Cisco, especially if you're using FMC. You might want to have a look at Cisco Defense Orchestrator (CDO), the cloud-based management option that recently started supporting FTD. It is very fast and modern. It interacts with the managed devices via API vs. the older sftunnel connections and database synchronization model that FMC uses. Here's a nice CDO demo by Divya Nair: https://www.youtube.com/watch?v=twQ1GI-GA-A ... View more

Sorry. In my experience very very few customers use VXLAN on their ASAs - I've never seen one outside a lab environment. Those who do typically are working directly with Cisco Advanced Services or have significant in house engineering resources and not hanging out on the general support community. ... View more