FMC 6.2.2 with Firepower 2120 6.2.2 anti-replay changes

rmorenobb · ‎02-28-2019

Hi,

I have a few production Site to Site VPN Peers, one of these peers, the vendor is requesting if we can adjust our window size to 1024.

I found this bug, that is has a workaround for flexconfig, but I'm curious if you can apply that to only the one Peer, and not globally? Perhaps I need to create a new policy map for this peer, and use Flexconfig to adjust the window size of only that peer with that associated policy map?

Or if it is a global option only, what I should be aware of, i.e., how will that change effect the other peers?

I found the bug for this (link below), no software releases resolve the bug, so the flex config is the only work around, that I can find.

Any ideas?

CSCvg87675 - FTD VPN FMC should have an option to customize the IPSec Anti-Replay Window size

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg87675/?rfs=iqvred

Rahul Govindan · ‎03-01-2019

The setting is global, just like it is on the ASA. There is no way to set this on a per peer basis.

I do not think increasing the window has a big effect on security. I feel that 64 packets is too small a window to begin with, especially when you think of ISP's providing multiple paths to reach one destination. Changing this will not affect any other peers as this is a local security feature. Increasing it to 1024 rather than disabling it completely should provide adequate security from replay attacks.

rmorenobb · ‎03-04-2019

Thanks! I've been reading up on any effects, and haven't seen anything that could pose an issue, so I agree. The only piece I don't like with the FMC/FTDs is having to make the adjustment via flexconfig.