sysopt-permit VPN on FTD

bobus321 · ‎12-02-2021

Hi

I'm playing with a few FTD managed by FMC (all latest 7.x version)

I'm trying to get my head round how sysopt-permit VPN works on the FTD.

On ASA it's a global settings, and the docs that I've found for FTD also seem to suggest it's a global settings.

But on the same device I can set it in multiple places - on each individual profile for: VPN> s2s>profile>advanced>tunnel>access control policy for decrypted traffic

And also in VPN>RA>access interfaces.

Turning it on or off in one doesn't seem to affect the others, and having it off in one and on in another seems to be unpredictable as to what happens.

So ... is sysopt permit-vpn now supposed to be a more granular thing or is this a gui fail?

balaji.bandi · ‎12-02-2021

how about doing in flexconfig as mentioned below :

https://www.lammle.com/post/cisco-added-the-remote-access-sysopt-permit-vpn-gui-command-in-firepower-ftd-6-3-code/

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎12-03-2021

I've found that having it off in any of the various places overrides turning it on in any the rest. Found that out the hard way when a VPN kept failing to work as I wanted.

bobus321 · ‎12-06-2021

Yes, I think this should go down as GUI bug. If it's a global setting, surely it should only be in one place - or at least if it's in multiple places, toggling it in one should affect all instances of that toggle box?

MSJ1 · ‎09-21-2023

Is this issue is fixed ?

blooy · ‎12-14-2023

Still wondering if this issue is fixed yet?