cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

358
Views
0
Helpful
1
Replies
Highlighted
Beginner

Cisco ASAv site-to-site VPN to Symantec Web Security Service (WSS)

Hi all, 

 

I'm having some serious technical issues with establishing a site-to-site VPN to Symantec's Web Security Service (WSS). Getting technical support to help is also really really painful. After three months of pulling my hair out I finally had a WebEX troubleshooting session, but unfortunately it was unsuccessful and we didn't get anywhere. 

 

This is my setup 

                                            Customer FW              NAT - Edge FW                                                              ep.threatpulse.net

{Multiple DMZ s / LANS}-----(>|) ASA FW ---------- (FGT-FW)-----------(Internet)---------(Symantec WSS)---(Proxy)

 

 

 

The customer firewall is the  ASAv Firewall 

The Fortigate is a perimeter firewall for all customers and NATs the outside interface of the ASA firewall  to a Public IP address and in terms of security policy its wide open (any any). The ASA is more restrictive. 

 

I followed the following KB from Symantec (or Broadcom as they are currently known as) but with some tweaks. I will explain: 

 

KB: https://knowledge.broadcom.com/external/article/174263/web-security-service-legacy-ipsec-connec.html

> Note: in other articles they have variations in config which i had to follow such as 

NAT-T when used, you need to change the IKE ID to the public IP address that the upstreat fw is natting the ASAs outside IP to. I had to do this on the ASA via ASDM, but it can be done on the CLI as 

crypto isakmp identity key-id <Public IP Address> 

 

 

I also didn't follow their advise on 'any' local encryption domain and 'any' remote encryption domain - I caused an outage whilst the firewall tried to bring up the tunnel. instead i used the classless RFC 1918 address as my local encryption domain and ep.threatpulse.net (ip address used) as the remote, i.e. the symantec proxy ip address. 

I have other VPN tunnels setup on this firewall and even if my local encryption domain was set to 'any' it would have overlapped with the other tunnels - the firewall did grumble at this!

 

I did NAT exempt for traffic headed for the proxy ip address for http and https. 

 

I used the same phase 1 and phase 2 settings and whats interesting is that Symantec in Phase 1 tries to negotiate 3DES / SHA DFH grp5.... strange.... The ASA didnt like.. 

 

I went through the setup with Symantec over the WebEx and they said it looked ok, however they didnt see any errors or messages that would indicate that phase 1 was unsuccessful. At my end though all i ever got when running show crypto ikev1 sa was the message telling me it was waiting for a response from symantec:

 

State : MM_WAIT_MSG6

 

Even if i change the phase 1 params to 3des sha DFH group 5 it still doesn't come up. 

 

Its not successfully negotiating phase 1

 

Anyone else experiencing this issue and the lack of support from Symantec?

1 REPLY 1
Highlighted

Re: Cisco ASAv site-to-site VPN to Symantec Web Security Service (WSS)

Were you able to get this issue resolved in the end? Would appreciate any potential guidance you could offer.