Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22438
Views
15
Helpful
6
Replies

Is 'true' always on VPN possible with AnyConnect?

Go to solution
cfitzgerald
Level 1
Level 1

‎06-18-2020 08:48 AM

I would like to setup VPN so that anytime a computer is powered on, it automatically establishes a VPN tunnel, without user intervention, and BEFORE login to Windows. This is possible with Microsoft's Always-On VPN solution, and the device tunnel feature.

 

Is something similar possible with AnyConnect and an FTD 6.3 headend? The AnyConnect Always-On docs have this alarming limitation mentioned:

Limitations of Always-On VPN

    If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login.

We really want a true Always-ON VPN experience to make management of devices easier, such as applying patches and even OS upgrades. If the VPN requires a user to login to Windows or VPN client before the tunnel is established, alot of these management and maintenance tasks become very difficult.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to cfitzgerald

‎06-18-2020 09:26 AM

Sorry I missed you are running FTD 6.3. Currently FTD does not have full feature parity with ASA software, management tunnel VPN is not supported on FTD yet, not even 6.6.

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎06-18-2020 08:58 AM

Hi,

It sounds like you want to use the ASA Management Tunnel VPN, this will automatically establish a VPN when the computer is turned on and does not require the user to login, this will allow you to perform patch management. The management tunnel is transparent to the user and will disconnect once the user intiates a VPN. When the user disconnects from their VPN, the management tunnel VPN will be re-established.

 

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

 

Management Tunnel VPN requires AnyConnect 4.7 minimum and will authenticate using certificates in order to be transparent.

 

HTH

Go to solution
cfitzgerald
Level 1
Level 1
In response to Rob Ingram

‎06-18-2020 09:21 AM

Thank you! This does look like it will fit my needs. Does it work with FTD OS?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to cfitzgerald

‎06-18-2020 09:26 AM

Sorry I missed you are running FTD 6.3. Currently FTD does not have full feature parity with ASA software, management tunnel VPN is not supported on FTD yet, not even 6.6.

Go to solution
cfitzgerald
Level 1
Level 1
In response to Rob Ingram

‎06-18-2020 09:45 AM

Thank you Rob. That is disappointing. Do you have a link to a doc that clearly states Management VPN Tunnel is not supported on FTD? The Limitations area of the FMC VPN docs does not list it :

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

    Secure Mobility, Network Access Management, and all other AnyConnect modules and their profiles beyond the core VPN capabilities and the VPN client profile.

    Posture variants such as Hostscan, Endpoint Posture Assessment, and ISE, and any Dynamic Access Policies based on the client posture.

    AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

    Custom Attributes for the AnyConnect Client are not supported on the FTD. Hence all features that make use of Custom Attributes are not supported, such as Deferred Upgrade on desktop clients and Per-App VPN on mobile clients.

    Local authentication; VPN users cannot be configured on the FTD secure gateway.

    Local CA, the secure gateway cannot act as a Certificate Authority.

    Secondary or Double Authentication using two sets of username and password from two AAA servers for primary and secondary authentications.

    Single Sign-on using SAML 2.0.

    TACACS, Kerberos (KCD Authentication and RSA SDI).

    LDAP Authorization (LDAP Attribute Map).

    Browser Proxy.

    RADIUS CoA.

    VPN load balancing.
0 Helpful

Go to solution
cfitzgerald
Level 1
Level 1
In response to Rob Ingram

‎06-18-2020 10:00 AM

Thanks again for your help Rob. Even though Management VPN tunnel isn't officially supported on FTD, I am still going to try and make it work, since it is mostly an AnyConnect feature set. It appears I just need an Alias for the M-VPN connection profile, and an M-VPN AC profile on the client.

0 Helpful
Customers Also Viewed These Support Documents