Solved: According to all of the

TCC Service · ‎10-29-2014

Hi,

Do the new Cisco ISR 4400 series routers support SSLVPN?

According to the feature navigator it does, but according to the 4451-X Q&A document it doesn't.

Does this mean that I can or cannon use the AnyConnect client?

Thanks.

Regards,

Armand

ghostinthenet · ‎10-29-2014

According to all of the documentation I've looked at, the new ISR 4000 series (4300 and 4400) doesn't support SSL VPN at all:

http://www.cisco.com/c/dam/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/enterprise-routing-portfolio-poster.pdf

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/series-comparison.html

It's possible that the AnyConnect client may yet be usable for IKEv2/IPSec VPN connectivity, but SSL appears to be off the table for these units.

My guess would be that the access VPN functionality is being moved exclusively to the ASA portfolio, but that's just idle thinking.

View solution in original post

ghostinthenet · ‎10-29-2014

According to all of the documentation I've looked at, the new ISR 4000 series (4300 and 4400) doesn't support SSL VPN at all:

http://www.cisco.com/c/dam/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/enterprise-routing-portfolio-poster.pdf

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/series-comparison.html

It's possible that the AnyConnect client may yet be usable for IKEv2/IPSec VPN connectivity, but SSL appears to be off the table for these units.

My guess would be that the access VPN functionality is being moved exclusively to the ASA portfolio, but that's just idle thinking.

gherbstman · ‎08-20-2015

I understand it is on the roadmap with a few other featured to be added to the platform.

Byte Solutions, Managed Computer Services
https://www.bytesolutions.com 561.338.9696

Ian Brennan · ‎12-16-2015

I would really like to hear an official answer from Cisco on this. Being that the CSR 1000v now has support for SSL VPN, it's not a technical limitation of IOS XE. I cannot understand why SSL VPN is not available for the 4000 series routers.

This really limits the ability to deploy an "all in one" router to a branch office or small HQ. We just deployed the FirePOWER on ISR (on a UCS-E blade) for a client to replace their ASA. It didn't even cross my mind that the new routers wouldn't support SSL VPN. Of course now that I look at the data sheet I see it says that.

Why offer a next generation firewall solution for the new ISRs and not have full support for SSL VPN just like the old routers. Makes no sense!

ghostinthenet · ‎12-16-2015

If it's available on the CSR 1000v, one hopes that it will make an appearance on the other IOS XE devices sooner than later. Do you know when it showed up on the CSR 1000v? I don't recall it being in the initial release.

Ian Brennan · ‎12-16-2015

It certainly wasn't in the initial release of CSR 1000v, looks like it's available as of 3.12S (which I think was first released in March of 2014). Take a look at the guide here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html

I have to agree with your previous point of Cisco pushing everyone to the ASA for all SSL VPN functions.

Alexei Monastyrnyi · ‎11-10-2017

Hello.

As per Cisco, it will be supported on ISR 4000 starting from IOS XE 16.9, that is most probably mid 2019.

HTH

Alexei.

ghostinthenet · ‎11-12-2017

It's a bit strange that it takes five years to make the ISR 4K an in-line replacement for the ISR G2, but I'll take late over never every time.

Alexei Monastyrnyi · ‎11-13-2017

Mate,

could not agree more!

But this is typical Cisco at their best. :-)

With ASR 1000 being positioned as a 7200 replacement, guess how long did it take for Cisco to implement T1/E1 data for already released HW PRI extension cards? A couple of years... It was a big embarrassment for one design team that came up with ASR 1000 based design using E1 backup links to decomm a bunch of 7200s and discovered at implementation phase it was not feasible. :-)

I never take their words for granted. :-)

Chees

Alexei.

adventurer · ‎04-02-2019

Now it's 2019 and there 16.9.3

Still I can't see how to make Anyconnect work with ISR 4300

Router (config)#crypto ssl ?
policy Define SSL policies
proposal Define ssl Proposal

Looks like a few missing commands if I try to follow the CSR1000V examples.

soono · ‎07-16-2019

@adventurer

Currently, the only SSL-VPN in IOS XE Gibraltar 16.11.x (latest) is CSR1000v. Even if you can set the configuration, it is not supported.

*SSL VPN Configuration Guide for Cisco Cloud Services Router 1000V Series, Cisco IOS XE Gibraltor 16.11.x
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-16-11/sec-conn-sslvpn-xe-16-11-book/sec-conn-sslvpn-ssl-vpn.html#concept_11DD814971BD4827898E3B94DCACB0EF
>Note This feature is supported on the Cisco CSR 1000V Series Cloud Services Router only.

*ASR1K SSL VPN CLI Should Be Blocked

CSCvg93355

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg93355/?rfs=iqvred

>Symptom:
On the ASR1000 or ISR4000 series router platforms, SSLVPN is configurable but not officially supported.
>Workaround:
Do not configure SSLVPN on ASR1000 or ISR4000 series router platforms

Cisco ISR 4400 series SSLVPN Support