Hi Marvin,

 do you know the Max VPN SSL Connection the firepower 2110 can Handle ?, and if there is any Supporting Docs in regards I'd be Appreciated that.

thank you

The datasheet here:

http://www.cisco.com/c/en/us/products/collateral/security/firepower-4100-series/datasheet-c78-736661.html

...needs its Table 3 updated.I have submitted feedback to get that done.

Meanwhile you can see in Table 2 that they list 1,500-10,000 VPN peers depending on the model (2110, 2120, 2130, or 2140). I believe this number is intended to cover both IPsec (site-to-site) and SSL VPN.

Hello Marvin,

Looks like 6.2.1 was released towards the end of last month. Is there documentation that lists the limited features for anyconnect in 6.2.1 ? what is the roadmap for full feature anyconnect ? 

-Priyank

The currently unsupported features are listed in the 6.2.1 configuration Guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

(quoted below for convenience).

Cisco has not shared publicly their plans for eliminating those caveats. They have said it won't be in 6.2.2 (the next expected release). That release will add the same limited support to the remaining FTD platforms. (ASA and FirePOWER 4100/9300 appliance series).

The following AnyConnect features are not supported when connecting to a Firepower Threat Defense secure gateway:

• Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

• All posture variants (Hostscan, Endpoint Posture Assessment, and ISE) and Dynamic Access Policies based on the client posture.

• AnyConnect Customization and Localization support. The Firepower Threat Defense device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

• Custom Attributes for the Anyconnect Client are not supported on the Firepower Threat Defense. Hence all features that make use of Custom Attributes are not supported, such as: Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.

• Local authentication, VPN users cannot be configured on the Firepower Threat Defense secure gateway.

  Local CA, the secure gateway cannot act as a Certificate Authority

• Secondary or Double Authentication

• Single Sign-on using SAML 2.0

• TACACS, Kerberos (KCD Authentication and RSA SDI

• LDAP Authorization (LDAP Attribute Map)

• Browser Proxy

• RADIUS CoA

• VPN Load balancing is not supported.

I really don't understand, what is the point of pushing new 2000 and 4000 series models into the world if they are not ready to take over. One reads all those limitations and makes a decision to go into the different direction from Cisco firewalls. Our clients heard some internal news from Cisco that ASA5500-x series models will be discontinued within few years and now instead of normally planning upgrades from older 5500 series models they think why would we bother with Cisco and invest into something that will be announced EoL. 2000 and up series are far from being perfect and what we see in clear text in the release notes is normally half of what one would normally run into while deploying it. Just saying it by experience. The upgrade path documentation doesn't exist and it is nightmare for those who manage their firewalls via CLI to migrate rules into FTD GUI. How would you migrate the configuration from ASA5515 with 1000 lines ? Those are not only access-list and objects. What about Anyconnect profile customization... ?