cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23090
Views
15
Helpful
6
Replies

Is 'true' always on VPN possible with AnyConnect?

cfitzgerald
Level 1
Level 1

I would like to setup VPN so that anytime a computer is powered on, it automatically establishes a VPN tunnel, without user intervention, and BEFORE login to Windows. This is possible with Microsoft's Always-On VPN solution, and the device tunnel feature.

 

Is something similar possible with AnyConnect and an FTD 6.3 headend? The AnyConnect Always-On docs have this alarming limitation mentioned:

Limitations of Always-On VPN

    If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login.

We really want a true Always-ON VPN experience to make management of devices easier, such as applying patches and even OS upgrades. If the VPN requires a user to login to Windows or VPN client before the tunnel is established, alot of these management and maintenance tasks become very difficult.

1 Accepted Solution

Accepted Solutions

Sorry I missed you are running FTD 6.3. Currently FTD does not have full feature parity with ASA software, management tunnel VPN is not supported on FTD yet, not even 6.6.

View solution in original post

6 Replies 6

Hi,

It sounds like you want to use the ASA Management Tunnel VPN, this will automatically establish a VPN when the computer is turned on and does not require the user to login, this will allow you to perform patch management. The management tunnel is transparent to the user and will disconnect once the user intiates a VPN. When the user disconnects from their VPN, the management tunnel VPN will be re-established.

 

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

 

Management Tunnel VPN requires AnyConnect 4.7 minimum and will authenticate using certificates in order to be transparent.

 

HTH

Thank you! This does look like it will fit my needs. Does it work with FTD OS?

Sorry I missed you are running FTD 6.3. Currently FTD does not have full feature parity with ASA software, management tunnel VPN is not supported on FTD yet, not even 6.6.

Thank you Rob. That is disappointing. Do you have a link to a doc that clearly states Management VPN Tunnel is not supported on FTD? The Limitations area of the FMC VPN docs does not list it :

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

    Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

    Posture variants such as Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture.

    AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

    Custom Attributes for the AnyConnect Client are not supported on the FTD. Hence all features that make use of Custom Attributes are not supported, such as Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.

    Local authentication; VPN users cannot be configured on the FTD secure gateway.

    Local CA, the secure gateway cannot act as a Certificate Authority.

    Secondary or Double Authentication using two sets of username and password from two AAA servers for primary and secondary authentications.

    Single Sign-on using SAML 2.0.

    TACACS, Kerberos (KCD Authentication and RSA SDI).

    LDAP Authorization (LDAP Attribute Map).

    Browser Proxy.

    RADIUS CoA.

    VPN load balancing.

Thanks again for your help Rob. Even though Management VPN tunnel isn't officially supported on FTD, I am still going to try and make it work, since it is mostly an AnyConnect feature set. It appears I just need an Alias for the M-VPN connection profile, and an M-VPN AC profile on the client.