Guidelines and Limitations for Remote Access VPNs

Remote Access VPN Policy Configuration

  • You can add a new remote access VPN policy only by using the wizard. You must proceed through the entire wizard to create a new policy; the policy will not be saved if you cancel before completing the wizard.

  • Two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists.

  • Moving a Firepower Threat Defense device from one domain to another domain is not possible if a remote access VPN policy is assigned to that device.

  • Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration.

  • Remote access VPN connectivity could fail if there is a misconfigured FTD NAT rule.

  • Whenever IKE ports 500/4500 or SSL port 443 is in use or when there are some PAT translations that are active, the AnyConnect IPSec-IKEv2 or SSL remote access VPN cannot be configured on the same port as it fails to start the service on those ports. These ports must not be used on the Firepower Threat Defense device before configuring Remote Access VPN.

  • While configuring remote access VPNs using the wizard, you can create in-line certificate enrollment objects, but you cannot use them to install the identity certificate. Certificate enrollment objects are used for generating the identity certificate on the Firepower Threat Defense device being configured as the remote access VPN gateway. Install the identity certificate on the device before deploying the remote access VPN policy to the device. For more information about how to install the identity certificate based on the certificate enrollment object, see The Object Manager.

  • The ECMP zone interfaces can be used in Remote Access VPN with IPsec enabled.

  • The ECMP zone interfaces cannot be used in Remote Access VPN with SSL enabled. Deployment of RA VPN (SSL enabled) configuration fails if all the RA VPN interfaces that belong to security zones or interface groups also belong to one or more ECMP zones. However, if only some of the RA VPN interfaces belonging to the security zones or interface groups also belongs to one or more ECMP zones, deployment of the RA VPN configuration succeeds excluding those interfaces.

  • After you change the remote access VPN policy configurations, re-deploy the changes to the Firepower Threat Defense devices. The time it takes to deploy configuration changes depends on multiple factors such as complexity of the policies and rules, type and volume of configurations you send to the device, and memory and device model. Before deploying remote access VPN policy changes, review the Best Practices for Deploying Configuration Changes.

Concurrent VPN Sessions Capacity Planning (FTDv Models)

The maximum concurrent VPN sessions are governed by the installed FTDv smart-licensed entitlement tier, and enforced via a rate limiter. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the licensed device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.

Device Model

Maximum Concurrent Remote Access VPN Sessions

FTDv5

50

FTDv10

250

FTDv20

250

FTDv30

250

FTDv50

750

FTDv100

10,000

Concurrent VPN Sessions Capacity Planning (Hardware Models)

The maximum concurrent VPN sessions are governed by platform-specific limits and have no dependency on the license. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.

Device Model

Maximum Concurrent Remote Access VPN Sessions

Firepower 2110

1500

Firepower 2120

3500

Firepower 2130

7500

Firepower 2140

10000

For capacity of other hardware models, contact your sales representative.

Note
The FTD device denies the VPN connections once the maximum session limit per platform is reached. The connection is denied with a syslog message. Refer the syslog messages %ASA-4-113029 and %ASA-4-113038 in the syslog messaging guide. For more information, see http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs.html

Controlling Cipher Usage for VPN

To prevent use of ciphers greater than DES, pre-deployment checks are available at the following locations in the Cisco Defense Orchestrator:

Devices > Platform Settings > SSL Settings

Devices > VPN > Remote Access > Advanced > IPsec

For more information about SSL settings and IPsec, see Configure SSL Settings and Configure Remote Access VPN IPsec/IKEv2 Parameters.

Authentication, Authorization, and Accounting

  • Configure DNS on each device in the topology in to use remote access VPN. Without DNS, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames; it can only resolve IP addresses.

    You can configure DNS using the Platform Settings. For more information, see Configure DNS and DNS Server Group Objects.

Client Certificates

  • If you are using client certificates in your deployment, they must be added to your client's platform independent of the Firepower Threat Defense or Cisco Defense Orchestrator. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates.

Unsupported Features of AnyConnect

The only supported VPN client is the Cisco AnyConnect Secure Mobility Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the AnyConnect client using a web browser.

The following AnyConnect features are not supported when connecting to an FTD secure gateway:

  • AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

  • TACACS, Kerberos (KCD Authentication and RSA SDI).

  • Browser Proxy.