I think I may have figured out the issue. Just need to figure out what to change. I am using a wild card certificate issued by GoDaddy for our WAN addresses. I just noticed in the logs the computer is trying to use the certificate for our internal domain. Thanks for pointing me in the right direction. I will let you know how I make out.

@gcook0001 add the internal root CA certificates (which issued the certificate to the windows devices) to the FTD to ensure mutual trust.

I am trying to change the certificate and it won't deploy. I checked and I get an error stating ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again. ERROR: Trust-point is not enrolled. Config Error -- ssl trust-point CGC-WILDCARD WAN1-GW

But when I run show crypto ca certificates I get Associated Trustpoints: cgc-wildcard

and show crypto ca trustpoint I get 

Trustpoint CGC-WILDCARD:
Subject Name:
CN=xxx-DC2-CA
DC=xxx
DC=local
Serial Number: -------------------
Certificate configured.

where DC2 is our internal CA.

Does anyone have a guide for setting up ravpn on FTD/FMC with cert only authentication that makes sense? I can't get this to work. 

@gcook0001 the clients will be authenticating using either a user or machine certificate issued from the internal CA. If the FTD has a wildcard public certificate it also needs the internal CA certificate imported.

Example:

So for the Internal root CA import use the Manual CA only enrollment type and paste the internal root CA that issued the certificate to the client devices.

Anyconnect will use the "user" certificate as default, if you have a "machine" certificate then use an anyconnect profile.

So now I can connect using certificate only. But what I don't understand now is that when the maintenance tunnel can't connect.

I get the error:

Tunnel group search using certificate maps failed for peer certificate: serial number: xxxxxxxxxxx, subject name: CN=*.ssmic.com, issuer_name: CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,…

Both the vpn profile and maintenance profile are the same.

And I do have both - cgc is internal and ssmic is exteranl

@gcook0001 are you matching against the correct certificate in the map?

OK. I am lost now. What do you mean when matching against the correct certificate in the map.

If I change the certificate here to the internal one, I can't connect at all.

Here it doesn't give me the option to select a certificate

I don't know where else to look

@gcook0001 your previous response mentioned a certificate map.

So how have you configured XML profile for the mgmt tunnel on the devices? The mgmt tunnel needs to use the machine certificate to authenticate, this must be explictly configured in the XML profile.

You can also turn on debugging, use both "webvpn" and "ssl" logging on "debugging" to get full visibility of all certificate authentication errors to assist with determining the problem.