FTD Anyconnect Management VPN Tunnel

-

 Summary:

From release 6.7, Cisco FTD supports configuration of AnyConnect Management tunnels.

The AnyConnect Management feature allows to create a VPN tunnel immediately after the endpoint finishes its startup. There is no need that the users manually launch the AnyConnect app, as soon as their system is powered up, the AnyConnect VPN agent service detects the Management VPN feature and initiates an AnyConnect session using theHost Entry defined in the Server List of the AnyConnect Management VPN Profile.

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end-user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefits from this feature.

AnyConnect Management Tunnel allows administrators to have AnyConnect connected without user intervention prior to the user log in. AnyConnect Management tunnel can work in conjunction with Trusted Network Detection and therefore is triggered only when the endpoint is off-premise and disconnected from User-initiated VPN. AnyConnect Management tunnel is transparent to the end-user and disconnects automatically when the user initiates VPN.

AnyConnect VPN agent service is automatically started upon system boot-up. It detects that the management tunnel feature is enabled (via the management VPN profile), therefore it launches the management client application to initiate a management tunnel connection. The management client application uses the host entry from the management VPN profile to initiate the connection. Then the VPN tunnel is established as usual, with one exception: no software update is performed during a management tunnel connection since the management tunnel is meant to be transparent to the user.

The user initiates a VPN tunnel via the AnyConnect UI, which triggers the management tunnel termination. Upon management tunnel termination, the user tunnel establishment continues as usual.

The user disconnects the VPN tunnel, which triggers the automatic re-establishment of the management tunnel


Configuration

A regular user VPN Connection Profile is already configured and working.




1. Create Management VPN Group Policy

















































































2. Create Management-VPN connection profile


















































3. Create Management Tunnel Profile




























4. Modify or create regular user Anyconnect Profile





















5. Upload Management Tunnel profile and regular user profile to FMC 














6. Attach Management Tunnel profile and regular user profile to the regular user VPN Group Policy



















































7. After user connects to user VPN tunnel, the management tunnel profile will be downloaded to the following folder and renamed to VpnMgmtTunProfile.xml.

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\MgmtTun


After user VPN disconnect or reboot next time, management VPN tunnel will be connected automatically.
Here is from FTD:
> show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : Lab-Desktop.lab.local  Index        : 33
Assigned IP  : 192.168.168.1          Public IP    : 192.168.2.238
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 106704                 Bytes Rx     : 97927
Pkts Tx      : 388                    Pkts Rx      : 472
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : GP-Management-VPN      Tunnel Group : TG-Management-VPN
Login Time   : 14:45:05 UTC Wed Oct 19 2022
Duration     : 0h:32m:34s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a802040002100063500d71
Security Grp : none                   Tunnel Zone  : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 33.1
  Public IP    : 192.168.2.238
  Encryption   : none                   Hashing      : none
  TCP Src Port : 49674                  TCP Dst Port : 443
  Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes
  Client OS    : win
  Client OS Ver: 10.0.19044
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.10.00093
  Bytes Tx     : 8063                   Bytes Rx     : 0
  Pkts Tx      : 6                      Pkts Rx      : 0
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
  Tunnel ID    : 33.2
  Assigned IP  : 192.168.168.1          Public IP    : 192.168.2.238
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384
  Encapsulation: TLSv1.2                TCP Src Port : 49683
  TCP Dst Port : 443                    Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes
  Client OS    : Windows
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.10.00093
  Bytes Tx     : 8063                   Bytes Rx     : 208
  Pkts Tx      : 6                      Pkts Rx      : 2
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

DTLS-Tunnel:
  Tunnel ID    : 33.3
  Assigned IP  : 192.168.168.1          Public IP    : 192.168.2.238
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384
  Encapsulation: DTLSv1.2               UDP Src Port : 59490
  UDP Dst Port : 443                    Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes
  Client OS    : Windows
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.10.00093
  Bytes Tx     : 90578                  Bytes Rx     : 97719
  Pkts Tx      : 376                    Pkts Rx      : 470
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

>


After user login and connects to User tunnel





After user disconnects User Tunnel, Management Tunnel is automatically reconnected.


















When the computer is back to office network





















Reference:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-socket-layer-ssl/217040-configure-ssl-anyconnect-management-vpn.html

https://technook.home.blog/2019/07/11/cisco-anyconnect-managent-vpn-tunnel-microsoft-ca/

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more