Here’s your chance to discuss more about the configuration, troubleshooting and best practices for AnyConnect secure mobility client on a Cisco Adaptive Security Appliances (ASA) and Firepower Threat Defense (FTD) and its integration with other Cisco security portfolio devices and technologies like ISE and Duo.
This session provides an opportunity to learn and ask questions about various aspects of AnyConnect implementation (using SSL and Ikev2) including (but not limited to) emergency licenses, configuration, deployment and troubleshooting AnyConnect that provides the security necessary to help ensure that your organization is safe and protected in such critical situation.
To participate in this event, please use the button below to ask your questions
Ask questions from Monday 6 to Friday, April 17, 2020
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Solved! Go to Solution.
What Jason meant in his earlier post is that you can configure another interface to which you can utilise the /28 subnet and terminate RA-VPN on it. This comes into perspective as you mentioned that you do not want to configure RA-VPN on the existing outside link.
Now in regards to routing and connectivity, the logic remains the same, we need to have the new interface connected to an uplink from where end users can have connectivity/reachability.
Hope this clarifies.
Is it possible to deliver non-Cisco software to the remote VPN user when they log in? I'm looking for a way to deliver the Azure MFA client to the end-user. If it not possible to deliver the software is there a way to display a message that would require the user inaction.
It is not possible to deliver anything from a third party. It can only push anyconnect modules, customizations and xml profiles. You could modify the login banner to tell them to download the file, but not that would require user interaction. Additionally, you could create a login script that would start when the user connected, so if you could make a script that would run and download the program, you could do that from an ASA, but not an FTD managed by FMC or FDM.
This is a question from Chinese Community member jijunzhang
May I ask if the FTD version of FirePower does not support l2tp over ipsec vpn function?
Sometimes, because of some customer's security requirements, the customers do not have permission to install the anyconnect client on their computer, but they need to get access through external network.
Is there any function on Firepower as a replacement?
This is a question from Chinese Community member sunbin03351
Can AnyConnect remote access VPN be deployed on ASAv? Is there any configuration guide?
We have configured and are testing a client .xml where FIPS compliance is turned on and it looks like it is working just fine. Then, someone asked "How do you know it's working?" Other than looking at the .xml every time an auditor wants to see it, is there somewhere else I can verify the the FIPS compliance has been engaged?
AnyConnect is set up and I want to configure DAP for anti-malware- for antivirus.
I am configuring this via the ASDM.
My Question is there a way that to add the antivirus list other than adding each one at a time?
There are so many possible antivirus 's for client s as they are allowed to BYOD? Adding all manually will be time consuming and inefficient ?
Thank you in advance for yo consideration.
There are 2 ways you can address this issue.
1. Instead of performing a check for each AV, you can perform a check based on Vendor.
2. To avoid adding the attributes on ASDM, you can run the commands "debug menu dap 1" and "debug menu dap 2" [these are show commands for DAP configuration], and then copy the output, modify them in a text editor as per the requirement filling in all the required AVs and then upload dap.xml on the ASA.
I am having a problem with FTD and AnyConnect 4.8.02042 with profiles on Windows and Mac. I make some changes with the stand alone profile editor and move it to the Profiles folder in ProgramData. Things like HostEntry and AllowManualHostInput are being recognized and applied. But changes to AuthenticationTimeout and EnableScripting are not.
After every change I am exiting the AnyConnect client and restarting the service, I also restarted the computer for good measure. I can see what settings are being applied from the Event Viewer.
Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
It does not look like the FTD has a profile applied to it since no files are downloaded to the Profiles folder. I have also passed the XML file through a validator with the XSD file.