This documents describes an issue faced by an user in which firewall intermittently blocks the VPN traffic which is permited by the VPN filters.
What are VPN filters?
VPN filters enables us to either allow or decline the post-decrypted traffic once it exits the tunnel and the pre-encrypted traffic before entering the tunnel.By applying ACL to an interface we can define at what time it should allow ( or decline) traffic that is either entering or exiting the interface.
ACL can be applied to bi-directional traffic and all interfaces with the help of VPN filter. Due to this, within he ACL definition of source and destination fields is not applicable; instead the ACL fields with respect to the IP/Port must be allowed or declined for the local and remote subnets.
This issue is due to the presence of Cisco bug ID CSCsg60095.
In this issue, access to traffic that is permitted by the VPN filter access control list (ACL) is sometimes denied over the VPN, but the bytes that are sent and received still increase and the tunnel remains open.
This issue is first found in the PIX/ASA firewall version 7.2(1.21).
The workaround for this issue is to disable the VPN filter, which allows access to all traffic.
In order to completely resolve this issue, upgrade or downgrade the PIX/ASA to any of these versions:
7.2(2.7) and later
Refer to Cisco Downloads in order to download the suggested PIX/ASA software versions.
Hello,Can somebody explain to me how I can make sure that only authorized subnets are routed to IKEv2 clients?If I configure 'route accept any' - which is the only option - under authorization policy then client is allowed to send me any routes, thus noth...
Hi everyone!I have a task to integrate ASA 5516 with LDAP for implementing cut-through proxy feature with AD authentication.I have successfully got connected with the AAA server but the problem is - there are non-ASCII (Cyrillic) symbols in AD groups name...
Hi Team,I wanted to make you aware that we will have a series of monthly 30-45 minute technical webinars regarding the migration to Snort 3 This is highly relevant for ALL FirePower customers. The content is technical in nature and is designed to all...
Hi, if NMAP is used for Profiling devices is there some kind of interval which reruns the scan to check if the device is still the same.I know there is some kind of overload protection for the Node but is there some kind of verification like (if nmap...