cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community will be experiencing a downtime on 17/Dec/18 02:20 AM GMT-0600 / 17-Dec 12 AM PST for 15 mins. Sorry for the inconvenience.

272
Views
5
Helpful
16
Replies
Enthusiast

Anyconnect Anyconnect

Is it possible to enable Anyconnect on two interfaces?  We're having some performance issue and I tried enabling another spare interface and assigned it with a private IP and with security level 0.  I have also enabled ssl trustpoint on that interface and enable it for anyconnect webvpn.  We're using certificate just a fyi . We're not able to connect.  Just wondering if this is supported to have anyconnect on more than 1 outside interface and if it is ok to have the interface with a Private IP.

 

Thank you in advance,

 

Everyone's tags (1)
16 REPLIES
Hall of Fame Master

Re: Anyconnect Anyconnect

You can configure it on many interfaces.

 

You will most likely be constrained with routing the return traffic properly more so than anything else.

Enthusiast

Re: Anyconnect Anyconnect

Ok, thank you Marvin!
Enthusiast

Re: Anyconnect Anyconnect

A related question..

Do you know after upgrading from a Cisco ASA 5520 to a Cisco Firepower
2130, when we run the speed test, the performance dropped by 50%? 200MB
(old ASA) versus 100MB (new FP2130).

Thank you!
Hall of Fame Master

Re: Anyconnect Anyconnect

Check your interface settings and access control policies. Something is not right.

 

I just installed a Firepower 2110 HA pair running FTD for a customer and measured Speedtest results of 980-990 Mbps on a 1 Gbps connection.

Enthusiast

Re: Anyconnect Anyconnect

Ok, thank you Marvin.

This is an ASA with FP 2130 bundle and we're just using the ASA for VPN
services. The FP is at the default configuration (except interfaces
enabled). They don't need the FP services/configuration yet. What needs to
be done to that the ASA can function normally. The FirePower
configuration for filtering/threat detection etc will be configured later
but looks like something needs to happen now?

Thank you!
Hall of Fame Master

Re: Anyconnect Anyconnect

Is the Firepower 2130 running ASA image or FTD image?

 

 

Enthusiast

Re: Anyconnect Anyconnect

Hi Marvin,

It is an ASA image.

Thank you!
Enthusiast

Re: Anyconnect Anyconnect

Hi Marvin,

Here is the file name from the show version of the ASA:


System image file is
"disk0:/mnt/boot/installables/switch/fxos-k8-fp2k-npu.2.2.2.100.SPA"

Thank you!
Hall of Fame Master

Re: Anyconnect Anyconnect

If you are running an ASA image on your Firepower 2130 it will not have any of the Firepower NGIPS features. It will run only as a "classic" ASA (no service module) with the difference being that you have the Firepower Chassis Manager (FCM) to do initial setup and manage the physical chassis, deploy the ASA image (logical device) and assign interfaces to the ASA.

 

No Firepower Control license, IPS subscription, URL filtering license or Malware license can be used as those features are not available.

 

You just setup the ASA as usual once you've deployed in via FCM.

Enthusiast

Re: Anyconnect Anyconnect

Hi Marvins,

Yes, we deployed the physical interfaces via FCM and configure the ASA as
usual. The configuration is working and is fine but we're just seeing some
intermittent drops and the half throughput performance issue before the
upgrade.

We're seeing the following and it looks like it may be related the cause of
the slow performance:

port-manager: Alert: Internal1/1 link changed to UP
port-manager: Alert: Forcing CPU uplink link state to DOWN
port-manager: Alert: Internal1/1 link changed to DOWN


https://quickview.cloudapps.cisco.com/quickview/bug/CSCvj80946

Confirming this.

Thank you1

Thank you!


Hall of Fame Master

Re: Anyconnect Anyconnect

The bug details indicate that is cosmetic only and does not affect traffic.

 

You might want to open a TAC case to look into your settings in detail.

Enthusiast

Re: Anyconnect Anyconnect

Thank you Marvin, I'll follow up on the settings with TAC.

Re: Anyconnect Anyconnect

Thanks Marvin, Cisco isn't clear on the ordering guide  on the Subscription licenses you can add for firepower with the ASA image, or am I missing something. On CCW you can select the firepower with ASA software (or FPR2130-ASA-K9 )and also select the malware licenses (or FPR2130-ASA-K9 ) in the bundle option. So this combination is not compatible? only with FPR2130-NGFW-K9 ? 

Highlighted
Hall of Fame Master

Re: Anyconnect Anyconnect

When a Firepower appliance (2100, 4100 or 9300 series) is running an ASA image (als0 known as logical device), the ASA only has capability to run as a base ASA - that is, NO Firepower service module.

 

Thus the IPS subscription, Malware or URL Filtering licenses are all incompatible with that image.

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers