Skip to main content



Cisco Defense Orchestrator

Guidelines and Limitations of Remote Access VPN for FTD

Keep the following guidelines and limitations in mind when configuring RA VPN.

  • AnyConnect packages must be pre-loaded to the FTD version 6.4.0 using Firepower Defense Manager (FDM).
  • Note: Upload AnyConnect package separately to the FTD version 6.5.0 using the Remote Access VPN Configuration wizard in CDO.
  • Before configuring RA VPN from CDO:
    • Register the RA VPN license for the FTD devices from FDM.
    • Enable the AnyConnect license from FDM with export-control.
  • CDO does not support the Extended Access List object. Configure the object using the Smart CLI in FDM and then use in VPN filter and Change of Authorization (CoA) redirect ACL.
  • The template you create from an FTD device will not contain the RA VPN configuration.
  • Device-specific overrides are required for IP pool objects and RADIUS identity sources. 
  • You cannot configure both FDM access (HTTPS access in the management access-list) and AnyConnect remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. Because you cannot configure the port used by these features in FDM, you cannot configure both features on the same interface.
  • If you configure two-factor authentication using RADIUS tokens, the default authentication timeout of 12 seconds is too quick to allow successful authentication in most cases. Increase the authentication timeout value by creating a custom AnyConnect client profile and applying it to the RA VPN connection profile, as described in Configure and Upload Client Profiles. We recommend an authentication timeout of at least 60 seconds so that users have enough time to authenticate and then paste the RSA token and for the round-trip verification of the token.
  • Was this article helpful?