Guidelines and Limitations for Remote Access VPNs

Remote Access VPN Policy Configuration

  • You can add a new remote access VPN policy only by using the wizard. You must proceed through the entire wizard to create a new policy; the policy will not be saved if you cancel before completing the wizard.

  • Two users must not edit a remote access VPN policy at the same time; however, the web interface does not prevent simultaneous editing. If this occurs, the last saved configuration persists.

  • Moving a Secure Firewall Threat Defense device from one domain to another domain is not possible if remote access VPN policy is assigned to that device.

  • Remote access VPN does not support SSL while using SaaS or ECMP. We recommend that you use IPsec-IKEv2.

  • Firepower 9300 and 4100 series in cluster mode do not support remote access VPN configuration.

  • Remote access VPN connectivity could fail if there is a misconfigured threat defense NAT rule.

  • If you are using DHCP to provide IP addresses to the client, and the client cannot obtain an address, check the NAT rules. Any NAT rule that applies to the RA VPN network should include the route lookup option. Route lookup can help ensure the DHCP requests are sent to the DHCP server through an appropriate interface.

  • Whenever IKE ports 500/4500 or SSL port 443 is in use or when there are some PAT translations that are active, the Secure Client IPSec-IKEv2 or SSL remote access VPN cannot be configured on the same port as it fails to start the service on those ports. These ports must not be used on the threat defense device before configuring remote access VPN policy.

  • While configuring remote access VPNs using the wizard, you can create in-line certificate enrollment objects, but you cannot use them to install the identity certificate. Certificate enrollment objects are used for generating the identity certificate on the threat defense device being configured as the remote access VPN gateway. Install the identity certificate on the device before deploying the remote access VPN policy to the device.

    For more information about how to install the identity certificate based on the certificate enrollment object, see The Object Manager.

  • The ECMP zone interfaces can be used in remote access VPN with IPsec enabled.

  • The ECMP zone interfaces cannot be used in remote access VPN with SSL enabled. Deployment of remote access VPN (SSL enabled) configuration fails if all the remote access VPN interfaces that belong to security zones or interface groups also belong to one or more ECMP zones. However, if only some of the remote access VPN interfaces belonging to the security zones or interface groups also belongs to one or more ECMP zones, deployment of the remote access VPN configuration succeeds excluding those interfaces.

  • After you change the remote access VPN policy configurations, re-deploy the changes to the threat defense devices. The time it takes to deploy configuration changes depends on multiple factors such as complexity of the policies and rules, type and volume of configurations you send to the device, and memory and device model. Before deploying remote access VPN policy changes, review the Best Practices for Deploying Configuration Changes.

  • Issuing commands such as curl against the RA VPN headend is not directly supported, and might not have desirable results. For example, the headend does not respond to HTTP HEAD requests.

  • You can configure browser proxy using FlexConfig.

Concurrent VPN Sessions Capacity Planning (threat defense virtual Models)

The maximum concurrent VPN sessions are governed by the installed threat defense virtual smart-licensed entitlement tier, and enforced via a rate limiter. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the licensed device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.

Device Model

Maximum Concurrent Remote Access VPN Sessions

Threat Defense Virtual5

50

Threat Defense Virtual10

250

Threat Defense Virtual20

250

Threat Defense Virtual30

250

Threat Defense Virtual50

750

Threat Defense Virtual100

10,000

Concurrent VPN Sessions Capacity Planning (Hardware Models)

The maximum concurrent VPN sessions are governed by platform-specific limits and have no dependency on the license. There is a maximum limit to the number of concurrent remote access VPN sessions allowed on a device based on the device model. This limit is designed so that system performance does not degrade to unacceptable levels. Use these limits for capacity planning.

Device Model

Maximum Concurrent Remote Access VPN Sessions

Firepower 1010

75

Firepower 1120

150

Firepower 1140

400

Firepower 2110

1500

Firepower 2120

3500

Firepower 2130

7500

Firepower 2140

10,000

Secure Firewall 3110

3000

Secure Firewall 3120

6000

Secure Firewall 3130

15,000

Secure Firewall 3140

20,000

Firepower 4100, all models

10,000

Firepower 9300 appliance, all models

20,000

ISA 3000

25

For capacity of other hardware models, contact your sales representative.

Note
The threat defense device denies the VPN connections once the maximum session limit per platform is reached. The connection is denied with a syslog message. Refer the syslog messages %ASA-4-113029 and %ASA-4-113038 in the syslog messaging guide. For more information, see Cisco Secure Firewall ASA Series Syslog Messages.

Controlling Cipher Usage for VPN

To prevent use of ciphers greater than DES, pre-deployment checks are available at the following locations in the management center:

Devices > Platform Settings > Edit > SSL.

Devices > VPN > Remote Access > Edit > Advanced > IPsec.

For more information about SSL settings and IPsec, see SSL and Configure Remote Access VPN IPsec/IKEv2 Parameters.

Authentication, Authorization, and Accounting

Configure DNS on each device in the topology in to use remote access VPN. Without DNS, the device cannot resolve AAA server names, named URLs, and CA Servers with FQDN or Hostnames; it can only resolve IP addresses.

You can configure DNS using the Platform Settings. For more information, see DNS and DNS Server Group.

Client Certificates

If you are using client certificates in your deployment, they must be added to your client's platform independent of the Secure Firewall Threat Defense or Secure Firewall Management Center. Facilities such as SCEP or CA Services are not provided to populate your clients with certificates.

Unsupported Features of Secure Client

The only supported VPN client is the Cisco Secure Client. No other clients or native VPNs are supported. Clientless VPN is not supported for VPN connectivity; it is only used to deploy the Secure Client using a web browser.

Note

Using multiple Secure Client packages on threat defense devices can increase memory usage and affect the device's performance. We recommend that you do not use multiple Secure Client packages on low-end threat defense devices to avoid continuous reboots because of memory exhaustion.

The following Secure Client features are not supported when connecting to a threat defense secure gateway:

  • TACACS, Kerberos (KCD Authentication and RSA SDI).