Symptom
When configuring AnyConnect in FTD and the Security Zone / Interface Group of the Access Interface is already used by a Virtual Tunnel Interface (VTI), FMC shows errors below prior deployment:
Error: Security Zone / Interface Group has unsupported interface(s).
Description: Security Zone / Interface Group ( outside ) selected in Access Interfaces matches to a VTI interface on the device.
Cause: Remote Access VPN cannot be configured on a VTI interface.
Action: Please configure supported interfaces in Security Zone / Interface Group ( outside ) for this device
Conditions
AnyConnect access interface using the same the Security Zone / Interface Group as an existing VTI.
Workaround
Either of the 2 workarounds can be followed:
1. User can create a Interface Group and add just the interface used for Anyconnect VPN in that group, and from the Access Interface Tab of RA VPN Configuration replace the Security Zone with this Interface Group. By doing this user can avoid creating a separate security zone for Anyconnect VPN.
2. Create a different security zones between AnyConnect access interface and VTI.
To modify Security Zone of an interface navigate to Devices > Device Management, click on desired FTD and select the interface at hand. The Security Zone drop down displays available security zones.
Further Problem Description
