04-15-2019 11:34 PM - edited 04-15-2019 11:55 PM
Hi.
I administer a network with an ASA-5508X, which is configured to support anyconnect clients. It currently runs FTD 6.2.2.1, and is managed by a vFMC running Cisco Firepower Management Center, version 6.2.2.1. (I will at some point upgrade these to the latest versions, currently 6.2.3.10).
I was just downloading the latest version of the Anyconnect client software, and read through the release notes. One new feature stuck out. "Management VPN Tunnel—(Requires ASDM 7.10.1) Ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user."
This is a feature that looks really useful to us, it is something we would have liked to implement long ago. The question I have, is will it work? Obviously we are NOT running ASDM 7.10.1, we are running the completely different FTD software.
So, is it possible to create a management tunnel to a head unit running FTD software, or is that not an option? Anyone with inside information on future support please let me know as well!
Just to add, I already have a CA on the LAN, and have set up VPNs to use machine certificates to authenticate, that is all working. Only issue I seem to have is if it can work with FTD.
Solved! Go to Solution.
04-16-2019 05:34 AM
Not available on the FTD as of today.
Compatibilities and Requirements of Management VPN Tunnel
Requires ASA 9.0.1 (or later) and ASDM 7.10.1 (or later)
AnyConnect cert auth will work with FTD, just the advanced features like SCEP proxy and cert enrollment are not supported on the FTD. You would have to get the cert to the client machine some other way.
04-16-2019 05:34 AM
Not available on the FTD as of today.
Compatibilities and Requirements of Management VPN Tunnel
Requires ASA 9.0.1 (or later) and ASDM 7.10.1 (or later)
AnyConnect cert auth will work with FTD, just the advanced features like SCEP proxy and cert enrollment are not supported on the FTD. You would have to get the cert to the client machine some other way.
04-16-2019 09:45 PM
Thanks.
Being a sceptical sort of person, I tried this anyway. Seemed to me that it was more about the client end than the head end. I put together an appropriate profile, loaded it onto the FTD, and gave it a try.
Did not work. The VPN failed to connect, with an error. Forget the exact wording, but something like "unable to download configuration".
04-17-2019 12:20 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide