Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2344
Views
15
Helpful
6
Replies

Geo-Block effecting VPN traffic

00u18jg7x27DHjRMh5d7
Level 1
Level 1

‎06-13-2022 07:01 AM

I have a Geo-Block up blocking several countries on a Fire Power 1140 and is working but for some reason it will start blocking server traffic to our VPN users or completely blocks VPN connections. This is a critical device for daily operations. So, when it happens, I must remove the rule.

 

The rule if placed as #1 in the ACL set to Block.

 

Device is controlled with FDM only.

 

Has anyone else seen this behavior with a Fire Power device? What is the fix for this?

 

Thanks.

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎06-13-2022 07:04 AM

@00u18jg7x27DHjRMh5d7 can you confirm, do you use the FTD to terminate VPNs? Or do you have a VPN device behind the FTD?

Geoblock will control traffic "through" the FTD, but not "to" to the FTD - geoblock cannot restrict AnyConnect Remote Access VPN traffic if the users connect to the FTD.

 

What do the logs tell you?

00u18jg7x27DHjRMh5d7
Level 1
Level 1
In response to Rob Ingram

‎06-13-2022 07:13 AM

VPN connection is set up from the Fire Power. This is also why I am confused since the device is blocking traffic from inside the network to users on a trusted IP set on the VPN and it is only the 1 server. But sometimes it will allow it for a month or more and then start blocking other times it blocks traffic as soon as it is applied to the FP.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to 00u18jg7x27DHjRMh5d7

‎06-13-2022 08:46 AM

That's very odd and definitely not expected behavior. I've not seen it on an FTD installation one of my customers uses for RA VPN and they do have a Geoblocking policy in place.

Do you see anything in the logs when the blocks are experienced?

00u18jg7x27DHjRMh5d7
Level 1
Level 1
In response to Marvin Rhoads

‎06-13-2022 09:00 AM

I have not seen anything in the logs unfortunately. But due to the impact it has I am unable to trouble shoot the problem when it begins effecting clients. 

I have an open ticket with the TACS for 3 months now but the tech has been Zero help with trying to resolve this.

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to 00u18jg7x27DHjRMh5d7

‎06-13-2022 10:20 AM

Hi,

If the ftd is the vpn gateway, try to apply the geo rule to single username
assuming that you have AD integration. Otherwise, get your public IP at
home and create a rule match this source public IP.

Next, use system support trace on ftd CLI and initiate a vpn connection.
See if geo lookup is performed successfully or not.

Based on this we can move forward to see if your geoDB is present and/or
getting updated.

***** please remember to rate useful posts

00u18jg7x27DHjRMh5d7
Level 1
Level 1

‎06-21-2022 07:05 AM

So it would seem that lowering the Snort level back to default has fixed the issue with Geo-block as well as another application we could not figure out why it had stopped working. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card