FTD Anyconnect Management VPN Tunnel

on

 Summary:

From release 6.7, Cisco FTD supports configuration of AnyConnect Management tunnels.

The AnyConnect Management feature allows to create a VPN tunnel immediately after the endpoint finishes its startup. There is no need that the users manually launch the AnyConnect app, as soon as their system is powered up, the AnyConnect VPN agent service detects the Management VPN feature and initiates an AnyConnect session using theHost Entry defined in the Server List of the AnyConnect Management VPN Profile.

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end-user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefits from this feature.

AnyConnect Management Tunnel allows administrators to have AnyConnect connected without user intervention prior to the user log in. AnyConnect Management tunnel can work in conjunction with Trusted Network Detection and therefore is triggered only when the endpoint is off-premise and disconnected from User-initiated VPN. AnyConnect Management tunnel is transparent to the end-user and disconnects automatically when the user initiates VPN.

AnyConnect VPN agent service is automatically started upon system boot-up. It detects that the management tunnel feature is enabled (via the management VPN profile), therefore it launches the management client application to initiate a management tunnel connection. The management client application uses the host entry from the management VPN profile to initiate the connection. Then the VPN tunnel is established as usual, with one exception: no software update is performed during a management tunnel connection since the management tunnel is meant to be transparent to the user.

The user initiates a VPN tunnel via the AnyConnect UI, which triggers the management tunnel termination. Upon management tunnel termination, the user tunnel establishment continues as usual.

The user disconnects the VPN tunnel, which triggers the automatic re-establishment of the management tunnel


Configuration

A regular user VPN Connection Profile is already configured and working.




1. Create Management VPN Group Policy

















































































2. Create Management-VPN connection profile


















































3. Create Management Tunnel Profile




























4. Modify or create regular user Anyconnect Profile





















5. Upload Management Tunnel profile and regular user profile to FMC 














6. Attach Management Tunnel profile and regular user profile to the regular user VPN Group Policy



















































7. After user connects to user VPN tunnel, the management tunnel profile will be downloaded to the following folder and renamed to VpnMgmtTunProfile.xml.

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\MgmtTun


After user VPN disconnect or reboot next time, management VPN tunnel will be connected automatically.
Here is from FTD:
> show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : Lab-Desktop.lab.local  Index        : 33
Assigned IP  : 192.168.168.1          Public IP    : 192.168.2.238
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES-GCM-256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA384
Bytes Tx     : 106704                 Bytes Rx     : 97927
Pkts Tx      : 388                    Pkts Rx      : 472
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : GP-Management-VPN      Tunnel Group : TG-Management-VPN
Login Time   : 14:45:05 UTC Wed Oct 19 2022
Duration     : 0h:32m:34s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a802040002100063500d71
Security Grp : none                   Tunnel Zone  : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 33.1
  Public IP    : 192.168.2.238
  Encryption   : none                   Hashing      : none
  TCP Src Port : 49674                  TCP Dst Port : 443
  Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes
  Client OS    : win
  Client OS Ver: 10.0.19044
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.10.00093
  Bytes Tx     : 8063                   Bytes Rx     : 0
  Pkts Tx      : 6                      Pkts Rx      : 0
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
  Tunnel ID    : 33.2
  Assigned IP  : 192.168.168.1          Public IP    : 192.168.2.238
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-RSA-AES256-GCM-SHA384
  Encapsulation: TLSv1.2                TCP Src Port : 49683
  TCP Dst Port : 443                    Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 0 Minutes
  Client OS    : Windows
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.10.00093
  Bytes Tx     : 8063                   Bytes Rx     : 208
  Pkts Tx      : 6                      Pkts Rx      : 2
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

DTLS-Tunnel:
  Tunnel ID    : 33.3
  Assigned IP  : 192.168.168.1          Public IP    : 192.168.2.238
  Encryption   : AES-GCM-256            Hashing      : SHA384
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384
  Encapsulation: DTLSv1.2               UDP Src Port : 59490
  UDP Dst Port : 443                    Auth Mode    : Certificate
  Idle Time Out: 30 Minutes             Idle TO Left : 27 Minutes
  Client OS    : Windows
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Windows 4.10.00093
  Bytes Tx     : 90578                  Bytes Rx     : 97719
  Pkts Tx      : 376                    Pkts Rx      : 470
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0

>


After user login and connects to User tunnel





After user disconnects User Tunnel, Management Tunnel is automatically reconnected.


















When the computer is back to office network





















Reference:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/secure-socket-layer-ssl/217040-configure-ssl-anyconnect-management-vpn.html

https://technook.home.blog/2019/07/11/cisco-anyconnect-managent-vpn-tunnel-microsoft-ca/

Comments

Post a Comment