Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2911
Views
0
Helpful
3
Replies

Cisco firepower blocks "VPNs" in an access policy but block Duo Mobility Software

Go to solution
robertmeier
Level 1
Level 1

‎02-21-2019 11:34 AM

In Firepower  I have an Access policy that blocks VPN Clients.  There are about 50 VPN clients that cisco has labeled.  Anyway  I had a user group that accesses a third-party website that uses Duo Mobility.  Cisco firepower sees this a "VPN" and blocks it.  Does anyone know how to fix this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-21-2019 02:15 PM

Unfortunately, there is no easy way to fix faulty application detection by the Firepower. I have had many instances were legitimate sites were being detected as VPN's or proxies by Firepower. So much so, that we had to remove the application category and only add individual VPN applications that did not cause a problem. 

 

I would create a temporary allow rule for source ip addresses to bypass the VPN block rule. You can add the site URL in the allow ACL conditions. Also, look for the name of the site inside the SSL certificate that it presents, sometimes the Firepower classifies the website based on that information too. 

 

You should open a TAC case and have them open a bug. The more the cases opened for this, the better chance that it gets resolved. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎02-21-2019 02:15 PM

Unfortunately, there is no easy way to fix faulty application detection by the Firepower. I have had many instances were legitimate sites were being detected as VPN's or proxies by Firepower. So much so, that we had to remove the application category and only add individual VPN applications that did not cause a problem. 

 

I would create a temporary allow rule for source ip addresses to bypass the VPN block rule. You can add the site URL in the allow ACL conditions. Also, look for the name of the site inside the SSL certificate that it presents, sometimes the Firepower classifies the website based on that information too. 

 

You should open a TAC case and have them open a bug. The more the cases opened for this, the better chance that it gets resolved. 

0 Helpful

Go to solution
InTheJuniverse
Level 1
Level 1
In response to Rahul Govindan

‎02-22-2019 03:14 AM

You can either bypass the inspection per Source IP or add whitelist the known ("offending" for Cisco) URLs

0 Helpful

Go to solution
robertmeier
Level 1
Level 1
In response to Rahul Govindan

‎02-25-2019 06:08 AM

Rahul  thank you for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card