Skip to main content



Cisco Defense Orchestrator

Guidelines and Limitations for Remote Access VPN

Keep the following guidelines and limitations in mind when configuring RA VPN.

  • CDO configures RA VPN only on FTD devices. 
  • AnyConnect packages must be pre-loaded to the FTD devices using Firepower Defense Manager (FDM).
  • Before configuring RA VPN from CDO:
    • Register the RA VPN license for the FTD devices from FDM.
    • Enable the AnyConnect license from FDM with export-control.
  • CDO does not support Extended Access List object. Configure the object using the Smart CLI in FDM and then use in VPN filter and Change of Authorization (CoA) redirect ACL.
  • The template you create from an FTD device will not contain the RA VPN configuration.
  • Device-specific overrides are required for IP pool objects and RADIUS identity sources. 
  • You cannot configure both FDM access (HTTPS access in the management access-list) and AnyConnect remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. Because you cannot configure the port used by these features in FDM, you cannot configure both features on the same interface.
  • If you configure two-factor authentication using RADIUS and RSA tokens, the default authentication timeout of 12 seconds is too quick to allow successful authentication in most cases. Increase the authentication timeout value by creating a custom AnyConnect client profile and applying it to the RA VPN connection profile, as described in Configure and Upload Client Profiles. We recommend an authentication timeout of at least 60 seconds so that users have enough time to authenticate and then paste the RSA token and for the round-trip verification of the token.
  • Was this article helpful?