Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22941
Views
170
Helpful
133
Replies

Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Go to solution
ciscomoderator
Community Manager
Community Manager

‎04-03-2020 05:28 PM - last edited on ‎04-27-2020 09:00 AM by Cisco Employee

Español  Português Français Русский  日本語 简体中文

 

This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".

Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.

This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Monday 6 to Friday, April 17, 2020

Featured experts
dinesh.jpgDinesh Moudgil is a High Touch Technical Support (HTTS) Engineer with the Security team at Cisco. He has been working on Cisco technologies for more than 6 years focusing on Cisco Next Generation Firewalls, Intrusion Prevention Systems, Identity Management and Access Control (AAA) and VPNs. He holds a CCNP, CCDP and CCIE #58881 certifications, and multiple vendors certifications such as ACE, PCNSE and VCP.

pulkit.pngPulkit Saxena works as High Touch Technical Support (HTTS) Engineer in Security Domain with Cisco bring nearly 7 years of experience in the industry to the team. He has hands on experience with multiple firewalls, different VPN solutions, AAA and Next Generation IPS along with delivering multiple trainings. Pulkit holds certifications from multiple vendors, namely Cisco and Juniper, (CCIE Security and JNCIA).

jgrudier.jpgJason Grudier is the Technical leader on the VPN TAC team in Raleigh, NC. He has been working for Cisco on the VPN team for six years. Prior to joining the team, he was a network engineer at Labcorp. He works primarily with AnyConnect troubleshooting and configuration across all Cisco platforms as well as DMVPN, GETVPN, Radius, LDAP and Certificate authentications.

josemed.jpgGustavo Medina is a Systems Sales Engineer with the Enterprise Networking Sales team. He has more than 10 years of experience in security and enterprise networking. In his career he has focused on different tasks from technical escalations and partner adoption to the revision of Cisco Certification evaluations. Gustavo holds a CCNA, CCNP CCSI, and a CCIE in security (#51487).

Due to the anticipated volume for this high in-demand event, Dinesh, Pulkit, Jason and Gustavo might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Labels:
133 Replies 133

Go to solution
Yanli Sun
Community Manager
Community Manager

‎04-08-2020 03:52 AM

this is a question from Chinese community member fengbofeng2224

 

I am reviewing the firepower product sheet,would like to know which value should I refer to regarding ssl vpn throughput? 

Tls?

 

Thanks.

0 Helpful

Go to solution
Pulkit Saxena
Cisco Employee
Cisco Employee
In response to Yanli Sun

‎04-08-2020 04:19 AM

Hi Yanli,

Please confirm the hardware for which you are looking for SSL VPN throughput details and the document you are referring to.

-
Pulkit

Go to solution
david.haughn
Level 1
Level 1

‎04-08-2020 06:06 AM

Hey guys, thanks for doing this. Lots of good info so far.

 

We still occasionally have trouble distributing a profile for anyconnect to new users to fix the 12 second authen timeout issue. This is an issue because our users can still choose to have their two-factor method be a phone call or to reply back to a text message. Also, we have clientless SSL turned off but allow users to login and download the latest client from the firewall through this portal.

 

My question is, can I somehow attach the default vpn profile to this client download, even though we have clientless vpn turned off?

0 Helpful

Go to solution
jgrudier
Cisco Employee
Cisco Employee
In response to david.haughn

‎04-08-2020 06:22 AM

There is no practical way to push out the xml file with the downloads from a clientless connection.  The best approach to push this xml profile out, if users are having issues connecting because of the timeout, would be to push this xml profile out with a GPO if you have that option.  Additionally, you could just create a seperate tunnel-group, that only has user/pass login, that users can use to download the modified profile.  This could then map them to the correct tunnel-group and group-policy after the timeout has been modified.

 

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to david.haughn

‎04-08-2020 06:29 AM

Hello @david.haughn 

 

Once your users download the Anyconnect client, the first time they connect they will download the profile. There are different options for deployments like yours:

  • Have a basic connection profile without two-factor authentication, without access to the internal. This is just for users to download the profile.
  • Distribute the profile to your users with GPO or similar method to the correct location (Users already have the client installed).
  • Use pre-deployment option and build your custom .MSI package with your own profile included and distribute it so once the users install it, the profile will be ready.

Regards,

Gustavo

0 Helpful

Go to solution
antonkolev
Level 1
Level 1

‎04-08-2020 09:10 AM

I have bandwidth related  question 

when I am not on the VPN I can get the full speed of the bandwidth provided  from my ISP  , when I connect to SSL VPN ( anyconnect )  I am not getting even half of it . I understand for the overhead of the packet    but how you can solve this or what are most of the solutions 

0 Helpful

Go to solution
jgrudier
Cisco Employee
Cisco Employee
In response to antonkolev

‎04-08-2020 09:36 AM

Did you read through the rest of the questions here? Gustavo answered another question almost identical to this one that might be able to help you out. If you still have questions after this, let us know and we will do our best to answer them
0 Helpful

Go to solution
antonkolev
Level 1
Level 1

‎04-08-2020 09:14 AM

how  would you integrate WSA  with ASA for webvpn users ( full vpn tunnel ) 

Would you prefer umbrella  integration with anyconnect 

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to antonkolev

‎04-08-2020 12:15 PM

Hi @antonkolev ,

Just replied this on the following discussion:

https://community.cisco.com/t5/web-security/cisco-anyconnect-wsa-wccp/td-p/2611624

 

Let me know if you want to expand further.

0 Helpful

Go to solution
telecomunicacionesexperta
Level 1
Level 1

‎04-08-2020 09:54 AM

Hi!

Is there any option to configure a web vpn ssl on a FTD with FMC?
Thanks

0 Helpful

Go to solution
jgrudier
Cisco Employee
Cisco Employee
In response to telecomunicacionesexperta

‎04-08-2020 10:11 AM

There is no option for clientless vpn on the FTD device managed by FMC or FDM. The only option is the portal that will allow you to download the client.

Go to solution
BasavarajNingappa6558
Level 1
Level 1

‎04-08-2020 10:42 AM

Hi Team,

 

we don't have AMP for endpoints implemented in our network, but if I still want to use AMP with anyconnect  VPN what are the license I should have, right now we have AnyCconnect apex license and implemented AnyConnect with FTD and all working fine

 

looking for options with Anyconnect with AMP?

 

Thanks/Basavaraj

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to BasavarajNingappa6558

‎04-08-2020 12:26 PM

Hi @BasavarajNingappa6558 

 

AMP4E is based on the amount of Endpoints you want to protect. Besides the Anyconnect licenses you need the AMP4E licenses. For deployment, you can use the AnyConnect AMP Enabler which is used as a medium for deploying Advanced Malware Protection (AMP) for endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base.

Here is the ordering guide.

https://www.cisco.com/c/dam/en/us/products/collateral/security/fireamp-endpoints/guide-c07-740737.pdf

 

AMP4E was recently added to our Remote Secure Worker Offer for COVID-19 as you can read here:

https://blogs.cisco.com/security/expanding-free-security-offers-into-customers-endpoints

With this new addition, existing customers can exceed their device limit by two times to support an increase in remote workers. To take advantage of this offer, they simply install AMP for Endpoints Connectors on extra devices, and no other action is required. As with our AnyConnect, Umbrella and Duo offers, this will be available until July 1, 2020

 

-Gustavo

 

Go to solution
giovanni.augusto
Level 1
Level 1

‎04-09-2020 04:14 AM

Hi,

 

First of all thank you for this initiative, I am personally gathering a lot of information indirectly and I have surely bookmarked this discussions, I am sure that it will be among my top 10 bookmarks for a long time :)

 

Question :

 

We use SBL (Start before logon) module for remote workers as all of them inherited from on-premises no cached credentials for their workstations in windows.

Everything is working fine but even when an agent has a profile in anyconnect they can select during the windows logon screen they end up in anyconnect to have a generic FQDN of the profile along with the profile name.

 

This causes some confusion to our users as if for any reason they have to reconnect they have the profile name listed and also the FQDN and I haven't find yet a way to prevent this.

 

Is it possible to prevent the FQDN to be listed in anyconnect and have only the profile name?

0 Helpful

Go to solution
Pulkit Saxena
Cisco Employee
Cisco Employee
In response to giovanni.augusto

‎04-09-2020 05:14 AM

Hi Giovanni,

Thank you for the kind words.
Can you share the screenshot of this, where you see the profile name and FQDN both ?

-
Pulkit
0 Helpful
Customers Also Viewed These Support Documents