06-18-2020 08:48 AM
I would like to setup VPN so that anytime a computer is powered on, it automatically establishes a VPN tunnel, without user intervention, and BEFORE login to Windows. This is possible with Microsoft's Always-On VPN solution, and the device tunnel feature.
Is something similar possible with AnyConnect and an FTD 6.3 headend? The AnyConnect Always-On docs have this alarming limitation mentioned:
Limitations of Always-On VPN If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login.
We really want a true Always-ON VPN experience to make management of devices easier, such as applying patches and even OS upgrades. If the VPN requires a user to login to Windows or VPN client before the tunnel is established, alot of these management and maintenance tasks become very difficult.
Solved! Go to Solution.
06-18-2020 09:26 AM
06-18-2020 08:58 AM
Hi,
It sounds like you want to use the ASA Management Tunnel VPN, this will automatically establish a VPN when the computer is turned on and does not require the user to login, this will allow you to perform patch management. The management tunnel is transparent to the user and will disconnect once the user intiates a VPN. When the user disconnects from their VPN, the management tunnel VPN will be re-established.
Reference:-
Management Tunnel VPN requires AnyConnect 4.7 minimum and will authenticate using certificates in order to be transparent.
HTH
06-18-2020 09:21 AM
Thank you! This does look like it will fit my needs. Does it work with FTD OS?
06-18-2020 09:26 AM
06-18-2020 09:45 AM
Thank you Rob. That is disappointing. Do you have a link to a doc that clearly states Management VPN Tunnel is not supported on FTD? The Limitations area of the FMC VPN docs does not list it :
Unsupported Features of AnyConnect The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser. The following AnyConnect features are not supported when connecting to an FTD secure gateway: Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile. Posture variants such as Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture. AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities. Custom Attributes for the AnyConnect Client are not supported on the FTD. Hence all features that make use of Custom Attributes are not supported, such as Deferred Upgrade on desktop clients and Per-App VPN on mobile clients. Local authentication; VPN users cannot be configured on the FTD secure gateway. Local CA, the secure gateway cannot act as a Certificate Authority. Secondary or Double Authentication using two sets of username and password from two AAA servers for primary and secondary authentications. Single Sign-on using SAML 2.0. TACACS, Kerberos (KCD Authentication and RSA SDI). LDAP Authorization (LDAP Attribute Map). Browser Proxy. RADIUS CoA. VPN load balancing.
06-18-2020 09:50 AM
Compatibilities and Requirements of Management VPN Tunnel
Requires ASA 9.0.1 (or later) and ASDM 7.10.1 (or later
06-18-2020 10:00 AM
Thanks again for your help Rob. Even though Management VPN tunnel isn't officially supported on FTD, I am still going to try and make it work, since it is mostly an AnyConnect feature set. It appears I just need an Alias for the M-VPN connection profile, and an M-VPN AC profile on the client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide