Solved: Re: Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote ... - Page 4

ciscomoderator · ‎04-03-2020

This event continues the conversation of our recent Community Ask Me Anything event "Secure Remote Workers".

Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.

This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.

To participate in this event, please use the button below to ask your questions

Ask questions from Monday 6 to Friday, April 17, 2020

Featured experts

Dinesh Moudgil is a High Touch Technical Support (HTTS) Engineer with the Security team at Cisco. He has been working on Cisco technologies for more than 6 years focusing on Cisco Next Generation Firewalls, Intrusion Prevention Systems, Identity Management and Access Control (AAA) and VPNs. He holds a CCNP, CCDP and CCIE #58881 certifications, and multiple vendors certifications such as ACE, PCNSE and VCP.

Pulkit Saxena works as High Touch Technical Support (HTTS) Engineer in Security Domain with Cisco bring nearly 7 years of experience in the industry to the team. He has hands on experience with multiple firewalls, different VPN solutions, AAA and Next Generation IPS along with delivering multiple trainings. Pulkit holds certifications from multiple vendors, namely Cisco and Juniper, (CCIE Security and JNCIA).

Jason Grudier is the Technical leader on the VPN TAC team in Raleigh, NC. He has been working for Cisco on the VPN team for six years. Prior to joining the team, he was a network engineer at Labcorp. He works primarily with AnyConnect troubleshooting and configuration across all Cisco platforms as well as DMVPN, GETVPN, Radius, LDAP and Certificate authentications.

Gustavo Medina is a Systems Sales Engineer with the Enterprise Networking Sales team. He has more than 10 years of experience in security and enterprise networking. In his career he has focused on different tasks from technical escalations and partner adoption to the revision of Cisco Certification evaluations. Gustavo holds a CCNA, CCNP CCSI, and a CCIE in security (#51487).

Due to the anticipated volume for this high in-demand event, Dinesh, Pulkit, Jason and Gustavo might not be able to answer each question. Thus, remember that you can continue the conversation directly in the Security community.

By posting a question on this event you're giving permission to be translated in all languages we have in the community.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Yanli Sun · ‎04-08-2020

this is a question from Chinese community member fengbofeng2224

I am reviewing the firepower product sheet，would like to know which value should I refer to regarding ssl vpn throughput?

Tls？

Thanks.

Pulkit Saxena · ‎04-08-2020

Hi Yanli,

Please confirm the hardware for which you are looking for SSL VPN throughput details and the document you are referring to.

-
Pulkit

david.haughn · ‎04-08-2020

Hey guys, thanks for doing this. Lots of good info so far.

We still occasionally have trouble distributing a profile for anyconnect to new users to fix the 12 second authen timeout issue. This is an issue because our users can still choose to have their two-factor method be a phone call or to reply back to a text message. Also, we have clientless SSL turned off but allow users to login and download the latest client from the firewall through this portal.

My question is, can I somehow attach the default vpn profile to this client download, even though we have clientless vpn turned off?

jgrudier · ‎04-08-2020

There is no practical way to push out the xml file with the downloads from a clientless connection. The best approach to push this xml profile out, if users are having issues connecting because of the timeout, would be to push this xml profile out with a GPO if you have that option. Additionally, you could just create a seperate tunnel-group, that only has user/pass login, that users can use to download the modified profile. This could then map them to the correct tunnel-group and group-policy after the timeout has been modified.

Gustavo Medina · ‎04-08-2020

Hello @david.haughn

Once your users download the Anyconnect client, the first time they connect they will download the profile. There are different options for deployments like yours:

Have a basic connection profile without two-factor authentication, without access to the internal. This is just for users to download the profile.
Distribute the profile to your users with GPO or similar method to the correct location (Users already have the client installed).
Use pre-deployment option and build your custom .MSI package with your own profile included and distribute it so once the users install it, the profile will be ready.

Regards,

Gustavo

antonkolev · ‎04-08-2020

I have bandwidth related question

when I am not on the VPN I can get the full speed of the bandwidth provided from my ISP , when I connect to SSL VPN ( anyconnect ) I am not getting even half of it . I understand for the overhead of the packet but how you can solve this or what are most of the solutions

jgrudier · ‎04-08-2020

Did you read through the rest of the questions here? Gustavo answered another question almost identical to this one that might be able to help you out. If you still have questions after this, let us know and we will do our best to answer them

antonkolev · ‎04-08-2020

how would you integrate WSA with ASA for webvpn users ( full vpn tunnel )

Would you prefer umbrella integration with anyconnect

Gustavo Medina · ‎04-08-2020

Hi @antonkolev ,

Just replied this on the following discussion:

https://community.cisco.com/t5/web-security/cisco-anyconnect-wsa-wccp/td-p/2611624

Let me know if you want to expand further.

telecomunicacionesexperta · ‎04-08-2020

Hi!

Is there any option to configure a web vpn ssl on a FTD with FMC?
Thanks

jgrudier · ‎04-08-2020

There is no option for clientless vpn on the FTD device managed by FMC or FDM. The only option is the portal that will allow you to download the client.

BasavarajNingappa6558 · ‎04-08-2020

Hi Team,

we don't have AMP for endpoints implemented in our network, but if I still want to use AMP with anyconnect VPN what are the license I should have, right now we have AnyCconnect apex license and implemented AnyConnect with FTD and all working fine

looking for options with Anyconnect with AMP?

Thanks/Basavaraj

Gustavo Medina · ‎04-08-2020

Hi @BasavarajNingappa6558

AMP4E is based on the amount of Endpoints you want to protect. Besides the Anyconnect licenses you need the AMP4E licenses. For deployment, you can use the AnyConnect AMP Enabler which is used as a medium for deploying Advanced Malware Protection (AMP) for endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base.

Here is the ordering guide.

https://www.cisco.com/c/dam/en/us/products/collateral/security/fireamp-endpoints/guide-c07-740737.pdf

AMP4E was recently added to our Remote Secure Worker Offer for COVID-19 as you can read here:

https://blogs.cisco.com/security/expanding-free-security-offers-into-customers-endpoints

With this new addition, existing customers can exceed their device limit by two times to support an increase in remote workers. To take advantage of this offer, they simply install AMP for Endpoints Connectors on extra devices, and no other action is required. As with our AnyConnect, Umbrella and Duo offers, this will be available until July 1, 2020

-Gustavo

giovanni.augusto · ‎04-09-2020

Hi,

First of all thank you for this initiative, I am personally gathering a lot of information indirectly and I have surely bookmarked this discussions, I am sure that it will be among my top 10 bookmarks for a long time :)

Question :

We use SBL (Start before logon) module for remote workers as all of them inherited from on-premises no cached credentials for their workstations in windows.

Everything is working fine but even when an agent has a profile in anyconnect they can select during the windows logon screen they end up in anyconnect to have a generic FQDN of the profile along with the profile name.

This causes some confusion to our users as if for any reason they have to reconnect they have the profile name listed and also the FQDN and I haven't find yet a way to prevent this.

Is it possible to prevent the FQDN to be listed in anyconnect and have only the profile name?

Pulkit Saxena · ‎04-09-2020

Hi Giovanni,

Thank you for the kind words.
Can you share the screenshot of this, where you see the profile name and FQDN both ?

-
Pulkit

Community Ask Me Anything- Configuration, Troubleshooting and Best Practices: AnyConnect Remote Access VPN on ASA and FTD.

Doc - Troubleshooting de tráfico de datos y control en el FTD

IOS-XEとAnyconnectでRemote Access FlexVPNを設定

ASA/FTD: VPN Load Balancing の設定と確認例

Cisco AnyConnect Secure Mobility Client を使用して Remote Access VPN を行う際の設定 (1)

Cisco AnyConnect Secure Mobility Client を使用して Remote Access VPN を行う際の設定 (2)