Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
0
Helpful
3
Replies

Management VPN tunnel with an FTD head end. Possible?

Go to solution
itsupport
Level 1
Level 1

‎04-15-2019 11:34 PM - edited ‎04-15-2019 11:55 PM

Hi.

I administer a network with an ASA-5508X, which is configured to support anyconnect clients. It currently runs FTD 6.2.2.1, and is managed by a vFMC running Cisco Firepower Management Center, version 6.2.2.1. (I will at some point upgrade these to the latest versions, currently 6.2.3.10).

I was just downloading the latest version of the Anyconnect client software, and read through the release notes. One new feature stuck out. "Management VPN Tunnel—(Requires ASDM 7.10.1) Ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end user."

This is a feature that looks really useful to us, it is something we would have liked to implement long ago. The question I have, is will it work? Obviously we are NOT running ASDM 7.10.1, we are running the completely different FTD software.

So, is it possible to create a management tunnel to a head unit running FTD software, or is that not an option? Anyone with inside information on future support please let me know as well!

Just to add, I already have a CA on the LAN, and have set up VPNs to use machine certificates to authenticate, that is all working. Only issue I seem to have is if it can work with FTD.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-16-2019 05:34 AM

Not available on the FTD as of today.

 

Compatibilities and Requirements of Management VPN Tunnel

Requires ASA 9.0.1 (or later) and ASDM 7.10.1 (or later)

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7/configure-vpn.html

 

AnyConnect cert auth will work with FTD, just the advanced features like SCEP proxy and cert enrollment are not supported on the FTD. You would have to get the cert to the client machine some other way. 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-16-2019 05:34 AM

Not available on the FTD as of today.

 

Compatibilities and Requirements of Management VPN Tunnel

Requires ASA 9.0.1 (or later) and ASDM 7.10.1 (or later)

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect47/administration/guide/b_AnyConnect_Administrator_Guide_4-7/configure-vpn.html

 

AnyConnect cert auth will work with FTD, just the advanced features like SCEP proxy and cert enrollment are not supported on the FTD. You would have to get the cert to the client machine some other way. 

 

0 Helpful

Go to solution
itsupport
Level 1
Level 1
In response to Rahul Govindan

‎04-16-2019 09:45 PM

Thanks. 

Being a sceptical sort of person, I tried this anyway. Seemed to me that it was more about the client end than the head end. I put together an appropriate profile, loaded it onto the FTD, and gave it a try. 

Did not work. The VPN failed to connect, with an error. Forget the exact wording, but something like "unable to download configuration". 

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎04-17-2019 12:20 AM

It can't be configured in FTD yet. Its ASA feature.
0 Helpful
Customers Also Viewed These Support Documents