Create an RA VPN Configuration

CDO allows you to add one or more FDM-managed devices to the RA VPN configuration wizard and configure the VPN interfaces, access control, and NAT exemption settings associated with the devices. Therefore, each RA VPN configuration can have connection profiles and group policies shared across multiple FDM-managed devices that are associated with the RA VPN configuration. Further, you can enhance the configuration by creating connection profiles and group policies.

You can either onboard an FDM-managed device that has already been configured with RA VPN settings or a new device without RA VPN settings. When you onboard an FDM-managed device that already has RA VPN settings, CDO automatically creates a "Default RA VPN Configuration" and associates the FDM-managed device with this configuration. Also, this default configuration can contain all the connection profile objects that are defined on the device.

Important

You are not allowed to add ASA and FDM-managed device in the same Remote Access VPN Configuration.
An FDM-managed device can't have more than one RA VPN Configuration.

Prerequisites

Before adding the FDM-managed devices to RA VPN configuration, the following prerequisites must be met:

Make sure that the FDM-managed devices have the following:
- A valid license. For more information, see Licensing Requirements for Remote Access VPN.
- For FDM Version 6.4.0, ensure that a minimum of one AnyConnect software package pre-uploaded to the device. For more information, see Upload AnyConnect Software Packages to Firepower Threat Defense Devices version 6.4.0.
- For FDM Version 6.5.0 and later, you can upload AnyConnect package using CDO. For more information, see Upload AnyConnect Software Packages to Firepower Threat Defense Devices version 6.5.0.
- There are no configuration deployments pending.
FDM changes are synchronized to CDO.
1. In the left pane, click Inventory and search for one or more FDM-managed devices to be synchronized.
2. Select one or more devices and then click Check for changes. CDO communicates with one or more FDM-managed devices to synchronize the changes.
RA VPN configuration group policy objects are consistent.
- Ensure that all inconsistent group policy objects are resolved as they cannot be added to the RA VPN configuration. Either address the issue or remove inconsistent group policy objects from the Objects page. For more information see, Resolve Duplicate Object Issues and Resolve Inconsistent Object Issues.
RA VPN group policies of the FDM-managed device match RA VPN configuration group policies.