cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3546
Views
5
Helpful
17
Replies

Anyconnect Anyconnect

latenaite2011
Level 4
Level 4

Is it possible to enable Anyconnect on two interfaces?  We're having some performance issue and I tried enabling another spare interface and assigned it with a private IP and with security level 0.  I have also enabled ssl trustpoint on that interface and enable it for anyconnect webvpn.  We're using certificate just a fyi . We're not able to connect.  Just wondering if this is supported to have anyconnect on more than 1 outside interface and if it is ok to have the interface with a Private IP.

 

Thank you in advance,

 

17 Replies 17

Marvin Rhoads
Hall of Fame
Hall of Fame

You can configure it on many interfaces.

 

You will most likely be constrained with routing the return traffic properly more so than anything else.

Ok, thank you Marvin!

A related question..

Do you know after upgrading from a Cisco ASA 5520 to a Cisco Firepower
2130, when we run the speed test, the performance dropped by 50%? 200MB
(old ASA) versus 100MB (new FP2130).

Thank you!

Check your interface settings and access control policies. Something is not right.

 

I just installed a Firepower 2110 HA pair running FTD for a customer and measured Speedtest results of 980-990 Mbps on a 1 Gbps connection.

Ok, thank you Marvin.

This is an ASA with FP 2130 bundle and we're just using the ASA for VPN
services. The FP is at the default configuration (except interfaces
enabled). They don't need the FP services/configuration yet. What needs to
be done to that the ASA can function normally. The FirePower
configuration for filtering/threat detection etc will be configured later
but looks like something needs to happen now?

Thank you!

Is the Firepower 2130 running ASA image or FTD image?

 

 

Hi Marvin,

It is an ASA image.

Thank you!

Hi Marvin,

Here is the file name from the show version of the ASA:


System image file is
"disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.2.2.100.SPA"

Thank you!

If you are running an ASA image on your Firepower 2130 it will not have any of the Firepower NGIPS features. It will run only as a "classic" ASA (no service module) with the difference being that you have the Firepower Chassis Manager (FCM) to do initial setup and manage the physical chassis, deploy the ASA image (logical device) and assign interfaces to the ASA.

 

No Firepower Control license, IPS subscription, URL filtering license or Malware license can be used as those features are not available.

 

You just setup the ASA as usual once you've deployed in via FCM.

Hi Marvins,

Yes, we deployed the physical interfaces via FCM and configure the ASA as
usual. The configuration is working and is fine but we're just seeing some
intermittent drops and the half throughput performance issue before the
upgrade.

We're seeing the following and it looks like it may be related the cause of
the slow performance:

port-manager: Alert: Internal1/1 link changed to UP
port-manager: Alert: Forcing CPU uplink link state to DOWN
port-manager: Alert: Internal1/1 link changed to DOWN


https://quickview.cloudapps.cisco.com/quickview/bug/CSCvj80946

Confirming this.

Thank you1

Thank you!


The bug details indicate that is cosmetic only and does not affect traffic.

 

You might want to open a TAC case to look into your settings in detail.

Thank you Marvin, I'll follow up on the settings with TAC.

Thanks Marvin, Cisco isn't clear on the ordering guide  on the Subscription licenses you can add for firepower with the ASA image, or am I missing something. On CCW you can select the firepower with ASA software (or FPR2130-ASA-K9 )and also select the malware licenses (or FPR2130-ASA-K9 ) in the bundle option. So this combination is not compatible? only with FPR2130-NGFW-K9 ? 

When a Firepower appliance (2100, 4100 or 9300 series) is running an ASA image (als0 known as logical device), the ASA only has capability to run as a base ASA - that is, NO Firepower service module.

 

Thus the IPS subscription, Malware or URL Filtering licenses are all incompatible with that image.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: