Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ISR 4400 series SSLVPN Support

Hi,

 

Do the new Cisco ISR 4400 series routers support SSLVPN?

According to the feature navigator it does, but according to the 4451-X Q&A document it doesn't.

 

Does this mean that I can or cannon use the AnyConnect client?

 

Thanks.

 

Regards,

 

Armand

 

1 ACCEPTED SOLUTION

Accepted Solutions

According to all of the

According to all of the documentation I've looked at, the new ISR 4000 series (4300 and 4400) doesn't support SSL VPN at all:

http://www.cisco.com/c/dam/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/enterprise-routing-portfolio-poster.pdf

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/series-comparison.html

It's possible that the AnyConnect client may yet be usable for IKEv2/IPSec VPN connectivity, but SSL appears to be off the table for these units.

My guess would be that the access VPN functionality is being moved exclusively to the ASA portfolio, but that's just idle thinking.

8 REPLIES

According to all of the

According to all of the documentation I've looked at, the new ISR 4000 series (4300 and 4400) doesn't support SSL VPN at all:

http://www.cisco.com/c/dam/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/enterprise-routing-portfolio-poster.pdf

http://www.cisco.com/c/en/us/products/routers/4000-series-integrated-services-routers-isr/series-comparison.html

It's possible that the AnyConnect client may yet be usable for IKEv2/IPSec VPN connectivity, but SSL appears to be off the table for these units.

My guess would be that the access VPN functionality is being moved exclusively to the ASA portfolio, but that's just idle thinking.

New Member

I understand it is on the

I understand it is on the roadmap with a few other featured to be added to the platform.

New Member

I would really like to hear

I would really like to hear an official answer from Cisco on this.  Being that the CSR 1000v now has support for SSL VPN, it's not a technical limitation of IOS XE.  I cannot understand why SSL VPN is not available for the 4000 series routers.

This really limits the ability to deploy an "all in one" router to a branch office or small HQ.  We just deployed the FirePOWER on ISR (on a UCS-E blade) for a client to replace their ASA.  It didn't even cross my mind that the new routers wouldn't support SSL VPN.  Of course now that I look at the data sheet I see it says that.  

Why offer a next generation firewall solution for the new ISRs and not have full support for SSL VPN just like the old routers.  Makes no sense!

If it's available on the CSR

If it's available on the CSR 1000v, one hopes that it will make an appearance on the other IOS XE devices sooner than later. Do you know when it showed up on the CSR 1000v? I don't recall it being in the initial release.

New Member

It certainly wasn't in the

It certainly wasn't in the initial release of CSR 1000v, looks like it's available as of 3.12S (which I think was first released in March of 2014).  Take a look at the guide here: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/xe-3s/sec-conn-sslvpn-xe-3s-book.html

I have to agree with your previous point of Cisco pushing everyone to the ASA for all SSL VPN functions.

Re: Cisco ISR 4400 series SSLVPN Support

Hello.

As per Cisco,  it will be supported on ISR 4000 starting from IOS XE 16.9, that is most probably mid 2019.

HTH

Alexei.

Re: Cisco ISR 4400 series SSLVPN Support

It's a bit strange that it takes five years to make the ISR 4K an in-line replacement for the ISR G2, but I'll take late over never every time.

Re: Cisco ISR 4400 series SSLVPN Support

Mate,

could not agree more!

But this is typical Cisco at their best. :-)

With ASR 1000 being positioned as a 7200 replacement, guess how long did it take for Cisco to implement T1/E1 data for already released HW PRI extension cards? A couple of years... It was a big embarrassment for one design team that came up with ASR 1000 based design using E1 backup links to decomm  a bunch of 7200s and discovered at implementation phase it was not feasible. :-)

I never take their words for granted. :-)

Chees

Alexei.

4282
Views
10
Helpful
8
Replies
CreatePlease login to create content