Skip to main content



Cisco Defense Orchestrator

Configuring Remote Access VPN for an FTD

Cisco Defense Orchestrator (CDO) provides an intuitive user interface for configuring a new Remote Access Virtual Private Network (RA VPN). It also allows you to quickly and easily configure RA VPN connection for multiple Firepower Threat Defense (FTD) devices that are on board in CDO. AnyConnect is the only client that is supported on endpoint devices for an RA VPN connectivity to FTD devices.  

When the AnyConnect client negotiates an SSL VPN connection with the FTD device, it connects using Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. The client and the FTD device negotiate the TLS/DTLS version to use. DTLS is used if the client supports it. 

Cisco Defense Orchestrator (CDO) supports the following aspects of RA VPN functionality on Firepower Threat Defense devices: 

  • SSL client-based remote access 
  • IPv4 and IPv6 addressing
  • Shared RA VPN configuration across multiple FTD devices 


If an onboarded FTD device (running on software version 6.7 or later) contains RA VPN configuration with SAML server as the authentication source, CDO doesn't populate the AAA details in the connection profile as it doesn't manage SAML server objects in the current release. Thus you can't manage such RA VPN configuration from CDO. However, CDO reads the RA VPN connection profile and associated trusted CA certificate and SAML server objects. 

Related Topics 


  • Was this article helpful?