Guidelines and Limitations of Remote Access VPN for FDM-Managed Device

Keep the following guidelines and limitations in mind when configuring RA VPN.

• AnyConnect packages must be pre-loaded to FDM-Managed devices running Version 6.4.0 using firewall device manager.

• Before configuring RA VPN from CDO:

  • Register the license for the FDM-managed devices from firewall device manager.

  • Enable the license from firewall device manager with export-control.

• CDO does not support the Extended Access List object. Configure the object using the Smart CLI in firewall device manager and then use in VPN filter and Change of Authorization (CoA) redirect ACL.

• The template you create from an FDM-managed device will not contain the RA VPN configuration.

• Device-specific overrides are required for IP pool objects and RADIUS identity sources.

• You cannot configure both firewall device manager access (HTTPS access in the management access-list) and AnyConnect remote access SSL VPN on the same interface for the same TCP port. For example, if you configure remote access SSL VPN on the outside interface, you cannot also open the outside interface for HTTPS connections on port 443. Because you cannot configure the port used by these features in firewall device manager, you cannot configure both features on the same interface.

• If you configure two-factor authentication using RADIUS and RSA tokens, the default authentication timeout of 12 seconds is too quick to allow successful authentication in most cases. Increase the authentication timeout value by creating a custom AnyConnect client profile and applying it to the RA VPN connection profile, as described in Upload RA VPN AnyConnect Client Profile. We recommend an authentication timeout of at least 60 seconds so that users have enough time to authenticate and then paste the RSA token and for the round-trip verification of the token.