Cisco FTD FDM (RA-VPN Setup) Question:

kabskawt · ‎03-30-2025

Hi all,

I have FTD FDM device and I want to check what I am missing on this setup. I already completed the following setup as indicated in the Cisco Docs.

Link: https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-

Software version:
Cisco Firepower Extensible Operating System (FX-OS) v2.12.1 (build 73)
Cisco Firepower 1140 Threat Defense v7.2.8 (build 25)

1. Enable the RA License in the device - Done
2. I also change the HTTPS Port for the Management Data interfaces to a custom port so that it doesn't conflict with the SSL.
3. Setup the Remote Access Profiles
- Local Identity Source for Authentication
- IPv4 address pool
- Session Settings
- Certificate of Device Idenity is using the DefaultInternalCertificate (Special Service is set with IPSec and SSL Client)
- Default port (443) (Also, did some custom port like the 8443)
- etc

After the setup, I tried to browse the public IP of the FDM device https://X.X.X.X / https://X.X.X.X:XXXX but I am not seeing anything in the page just loading and gets time out. Additionally, the Secure connect client is unable to connect as well. I have done and tested according to the resources that I found online but none so far works for me. I am having trouble getting the pcap file , I am not sure why I am unable to connect and download the PCAP file using SCP tool - just instantly loading and directory is not showing.

Is there any particular settings or additional settings I need to look or set in the FDM device to have the RA VPN works?

Thank you !

Rob Ingram · ‎03-30-2025

@kabskawt does the FTD have a public IP address on the outside interface? Or is it behind a router that requires NAT configured to redirect https to the FTD's outside interface?

Enable debug webvpn anyconnect 255 and try to connect to the VPN using anyconnect/secure client again.

Run show asp table socket to confirm if the outside interface is listening for https on the outside interface.

kabskawt · ‎03-31-2025

Hello Rob,

Yes, it is assigned with public IP address.

show asp table socket
Protocol Socket State Local Address Foreign Address
SSL LISTEN X.X.X.X:8443 0.0.0.0:*
DTLS LISTEN X.X.X.X:443 0.0.0.0:*

I did some test , I assigned the VPN to one of the internal interface and I can see the webpage but after switching back to the outside interface then the page doesn't load up.

I did the "debug webvpn anyconnect 255 " and do the system support diagnostic-cli . I am not seeing anything related my secure connect connection attempt, am I doing it correct?

Secure client log is only this and based on the wireshark capture from my laptop I am not seeing any response at all from the FDM.

3:09:11 pm Contacting X.X.X.X:8443.
3:09:57 pm Connection attempt has failed.
3:09:57 pm Unable to contact X.X.X.X.
3:11:29 pm Ready to connect.

Thanks

Rob Ingram · ‎03-31-2025

@kabskawt

Can you actually ping the outside IP address from the internet?

Is there any device in front of the FTD that could be blocking tcp/8443?

I'd personally change the mgmt port to be something other than 443, and use the standard ports for TLS tcp/443 and DTLS udp/443 for RAVPN.

Take packet captures to confirm the inbound traffic to the FTD - https://www.cisco.com/c/en/us/support/docs/security/sourcefire-firepower-8000-series-appliances/117778-technote-sourcefire-00.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

MHM Cisco World · ‎03-31-2025

You can use FMC and RA-VPN in one data interface

You can not use FDM via data interface' it mandatory to use mgmt interface' and mgmt interface can not use for RA-VPN.

What you try is not possible

Sorry

MHM

kabskawt · ‎03-31-2025

Hi @Rob Ingram

Hi @Rob Ingram ,

I appreciate your help.

Can you actually ping the outside IP address from the internet?

- I am unable to create the flexiconfig to allow ICMP. I am not sure why it is not working but I am certain that the ICMP is reaching the firewall based on the logs.

Is there any device in front of the FTD that could be blocking tcp/8443?

- None, its the ISP gateway device. I am certain that it is not blocked because I can use the customer port and bind to a socket listener in one of the VM machines and I was able to connect to it without any issue using the outside public IP of the firewall.

I did the packet capture and this is what I get (very strange)

Starting traffic capture, press ctrl + c to exit (Maximum 1,000,000 packets will be captured)
09:35:28.185110 IP X.X.X.X > Y.Y.Y.Y: ICMP echo request, id 1, seq 575, length 40 --ICMP Test
09:35:35.055157 IP X.X.X.X > Y.Y.Y.Y: ICMP echo request, id 1, seq 576, length 40

09:36:27.245516 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [S], seq 890091265, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
09:36:27.585510 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [.], ack 922479056, win 1024, length 0
09:36:30.335538 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [P.], seq 0:1, ack 1, win 1024, length 1
09:36:35.465552 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [P.], seq 1:2, ack 1, win 1024, length 1
09:36:35.795536 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [P.], seq 2:4, ack 1, win 1024, length 2
09:36:36.445564 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [F.], seq 4, ack 1, win 1024, length 0
09:36:36.785542 IP X.X.X.X.63955 > Y.Y.Y.Y.8443: Flags [.], ack 2, win 1024, length 0

X.X.X.X is my public IP and the Y.Y.Y.Y is the public IP of the firewall Outside interface. The test where the 8443 is showing is my test on the VM.

The same capture procedure, I am not seeing any log the moment I test the 8443 or 443 traffic (telnet to 8443 or using the secure client) and this is after I switch back the custom port 8443 to the RA-VPN configuration. I already changed the HTTP management port of the FDM to 8080.

Rob Ingram · ‎03-31-2025

@kabskawt you changed the mgmt port of the data interface (outside)?

Do you have a NAT rule on the outside interface for tcp/443?

I don't have FDM to hand to check, but I am pretty sure you don't need to configure a FlexConfig policy to allow you to ping one of the FTDs interfaces.

kabskawt · ‎03-31-2025

Hello @Rob Ingram

you changed the mgmt port of the data interface (outside)?
-- I don't fully understand this but let me clarify. We don't intend to access the FDM through outside interface but internally only. The data interface port is currently associated to 8080 and it is only accessible internally using one of the data interfaces.

Do you have a NAT rule on the outside interface for tcp/443?

-- None at the moment. Mainly static NAT for multiple networks to access internet and one port-forwarding to a tcp listener. I checked the ACL rules and I am certain there is no conflict with the port. I also , enabled the sysopt permit-vpn to ensure VPN is not subject to ACL.

I don't have FDM to hand to check, but I am pretty sure you don't need to configure a FlexConfig policy to allow you to ping one of the FTDs interfaces
-- I am still figuring out using the ACL but I cannot make it work. I saw the flexconfig in other post so i tried to apply it but still not working for me.

I am so lost, is this normal behavior that even a packet capture/tcp dump is not able to capture the traffic hitting the outside interface if the destination traffic is intended for RA-VPN?

Thanks

Rob Ingram · ‎03-31-2025

@kabskawt yes I understand you don't want to access FDM using the outside interface, you just need to ensure you don't have a port conflict and use 443 for both - which you appear to have done.

As you've set the mgmt https port to 8080, is RAVPN configured to use tcp/443 then? if so run the packet capture to 443 not 8443. Run "show asp table socket" again and confirm listening on the correct interface.

Rob Ingram · ‎03-31-2025

@MHM Cisco World that is incorrect, you can use the data interface for mgmt.

You just cannot configure both the FDM access (HTTPS access) and remote access SSL VPN on the same interface for the same TCP port, as I'd previously mentioned.

MHM Cisco World · ‎03-31-2025

FDM use only mgmt interfac'

If I am wrong support Mr. @kabskawt to config ftd to access it via data interface.

MHM

Rob Ingram · ‎03-31-2025

@MHM Cisco World wrote:

FDM use only mgmt interfac'

If I am wrong support Mr. @kabskawt to config ftd to access it via data interface.

MHM

FDM (the management of the FTD) doesn't only use the mgmt interface, you can use the data interfaces.

kabskawt · ‎03-31-2025

Hi @MHM Cisco World ,

Sorry but I don't quite understand your explanation, kindly elaborate. Currently, the management port of the firewall device is not connected to anything(disconnected) and I am managing the firewall through FDM using one of the data interface and using a custom port to avoid conflict with RA-VPN. Even though they are using different ports already, if I access it via public IP https://X.X.X.X or https://X.X.X.X:xxxx the page is not even showing and secure connect client is not connecting and just end up timeout.

I tested earlier though , in case you missed out. I set the RA-VPN to one of the internal interfaces and I was able to browse the page internally but not able to do once assigned to outside interface. My main issue here is I cannot make the RA VPN works.

Thanks

MHM Cisco World · ‎03-31-2025

Friend

There are data interface and mgmt interface

You can use data interface (internal or outside) for ra-vpn

You can use mgnt interface for fdm

You can use data or mgmt for fmc

Here you try use fdm in data interface which can not be work.

MHM