02-28-2019 01:50 PM - edited 02-28-2019 01:50 PM
Hi,
I have a few production Site to Site VPN Peers, one of these peers, the vendor is requesting if we can adjust our window size to 1024.
I found this bug, that is has a workaround for flexconfig, but I'm curious if you can apply that to only the one Peer, and not globally? Perhaps I need to create a new policy map for this peer, and use Flexconfig to adjust the window size of only that peer with that associated policy map?
Or if it is a global option only, what I should be aware of, i.e., how will that change effect the other peers?
I found the bug for this (link below), no software releases resolve the bug, so the flex config is the only work around, that I can find.
Any ideas?
CSCvg87675 - FTD VPN FMC should have an option to customize the IPSec Anti-Replay Window size
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg87675/?rfs=iqvred
03-01-2019 07:47 AM
The setting is global, just like it is on the ASA. There is no way to set this on a per peer basis.
I do not think increasing the window has a big effect on security. I feel that 64 packets is too small a window to begin with, especially when you think of ISP's providing multiple paths to reach one destination. Changing this will not affect any other peers as this is a local security feature. Increasing it to 1024 rather than disabling it completely should provide adequate security from replay attacks.
03-04-2019 07:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide