cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8143
Views
15
Helpful
16
Replies

cisco FTD and SBL start before logon VPNGINA - FTD/FMC 6.2.3

hello

 

anyone already configured vpngina SBL with cisco FTD/FMC 6.2.3 ?

i cannot find option "optional client module to load" or svc modules value vpngina in FMC GUI

 

Anyone managed to get it work ?

using AAA userlogin/pwd ? client certificate ? client certificate + AAA ?

 

using FMC/FTD 6.2.3 and anyconnect 4.6

 

thanks

guillaume.

1 Accepted Solution

Accepted Solutions

Firepower 6.7 will have full support of all the AnyConnect modules built into the GUI.

View solution in original post

16 Replies 16

Marvin Rhoads
Hall of Fame
Hall of Fame

Only the base VPN module is currently supported for installation and associated profile push via FTD remote access VPN.

 

This is true even with the current latest release 6.3:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Hello friends,

 

So, theres no way to set it on FMC?

 

 

Best,

 

Emerson Albuquerque

@emerson.albuquerque1 that remains the case as of the current release (Firepower 6.4.0.2).


Only the base VPN module is currently supported for installation and associated profile push via FTD remote access VPN.

HI. Just to clarify, if I pre-deploy the GINA module to my clients, will Start Before Logon work? The limitations you are referring to are for deploying AnyConnect and related modules from the FTD WEB VPN page, right?

Hi @cfitzgerald 

 

Yes, if you pre-deploy the GINA module and AnyConnect profile to the client computer, SBL will work when connecting to an FTD. FTD just doesn't support the deployment of the SBL module, as the ASA currently does.

 

HTH

My  experience is that the lack of controlling which AnyConnect "modules" get web-deployed via the FTD (compared to the ASA web-deploy) is worse than that.

 

I have had issues where:

* Client has older version of AnyConnect installed (let's say 4.5).

* This includes version 4.5 of Core, DART and vpngina (SBL).

* They connect to the FTD.

* The FTD tries to download and upgrade their "Core" module from 4.5 to whatever it has (let's say 4.8).

* The upgrade FAILS because it doesn't know how to upgrade SBL (vpngina) from 4.5 to 4.8.

* This leaves the client with a non-functional AnyConnect setup (i.e. core not installed any more).

 

Conversely, if they connect to one of my ASA's instead of the FTD, and do the same thing - everything upgrades in-place just fine.

 

Cisco really needs to fix this, it's yet another reason why the FTD/FMC system just isn't a complete replacement for the older ASA line of products.  Too many weird little things like this- IMH(f)O.

Firepower 6.7 will have full support of all the AnyConnect modules built into the GUI.

Really? What's your source? 

@gilbert.aispuro1 my source is hearing it directly from Cisco at Cisco Live Europe earlier this year.

Also I have the beta installed and see it as shown below:

FMC 6.7 AnyConnect Client Modules.PNG

What!! SWEET! 

SOOOOOOO, how do I get that? Not seeing it in Software Downloads in Cisco. :)

@gilbert.aispuro1 "Firepower 6.7 will have" = future tense. It's still in beta. We expect it to be released in September or October this year.

Good to know and thanks!

Marvin - Im using FDM to configure my FTD, would it be the same on FDM?

@chong00011 I don't beelive they have it quite as finished for an FDM-managed FTD device in 6.7.

 

You can use the FTD API to upload module profiles used with AnyConnect, such as AMP Enabler, ISE Posture, or Umbrella. You must create these profiles using the offline profile editors that you can install from the AnyConnect profile editor package.

Cisco added the anyConnectModuleType attribute to the AnyConnectClientProfile model. Although you can initially create AnyConnect Client Profile objects that use module profiles, you will still need to use the API to modify the objects created in FDM to specify the correct module type.

 

API Explorer in FDM 6.7API Explorer in FDM 6.7

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: