cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter

895
Views
0
Helpful
10
Replies
Highlighted
Beginner

After disconnecting from AnyConnect ACLs not honored on ISA550W

Once I disconnect from an SSL-VPN (AnyConnect) session, the firewall blocks WAN > LAN traffic. I have to navigate to the Firewall > Access Control > ACL Rules page and click the Reset button for the ISA550W to honor the rules.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

After disconnecting from AnyConnect ACLs not honored on ISA550W

Hi Eric,

Thank you for providing that information.  We have been able to reproduce this here.  Can you open a case with SBSC so we can work on this with you?

Let me know if you have any issues opening a case with SBSC.

Thanks,

Brandon

View solution in original post

10 REPLIES 10
Highlighted
Cisco Employee

After disconnecting from AnyConnect ACLs not honored on ISA550W

Hi Eric,

I have a few questions for you to help understand what you're trying to do and what you're seeing:

1.  What ACLs are not working after disconnecting?  Can you give a couple of examples?

2.  Are you trying to access resources on the LAN from the same computer that was just recently disconnected from SSL VPN?

3.  If you try to access the resources on the LAN from another computer, do you see the same thing?

4.  Do you see anything in the logs indicating the traffic is blocked?

This may also help me try to reproduce this.

Thanks,

Brandon

Highlighted
Beginner

After disconnecting from AnyConnect ACLs not honored on ISA550W

Brandon,

Thank you for your follow up. Below are answers to your questions:

1. All WAN > LAN ACLs become inactive. For example, we run an on-prem mail server and have a rule for SMTP (WAN > LAN). Upon disconnecting from the AnyConnect client, no traffic can pass from WAN > LAN over port 25.

2. From what I can tell only WAN > LAN traffic is blocked. All other traffic (I have not performed extensive testing) rules are honored.

3. Over SSL VPN?

4. No.

Highlighted
Cisco Employee

After disconnecting from AnyConnect ACLs not honored on ISA550W

Hi Eric,

Thank you for providing that information.  We have been able to reproduce this here.  Can you open a case with SBSC so we can work on this with you?

Let me know if you have any issues opening a case with SBSC.

Thanks,

Brandon

View solution in original post

Highlighted
Beginner

After disconnecting from AnyConnect ACLs not honored on ISA550W

Thanks Brandon, I will do so.

Highlighted
Beginner
Beginner

Re: After disconnecting from AnyConnect ACLs not honored on ISA5

i am encountering same issue, even with latest firmware 1.2.15. could you provide any update or the incident #, so perhaps a linked ticket can be created?

Sent from Cisco Technical Support iPad App

Highlighted
Cisco Employee

After disconnecting from AnyConnect ACLs not honored on ISA550W

Hi Ed,

Go ahead and open a case with SBSC for this.  Let me know the case number once it's created or if you have any issues opening a case.

Thanks,

Brandon

Highlighted
Beginner

After disconnecting from AnyConnect ACLs not honored on ISA550W

ED,

I also upgraded to 1.2.15 and the issue remains present. I opened a ticket (625782935), and the support tech requested I factory default the device after upgrading. I planned to do so over the weekend; however, didn't get an opportunity. I plan to do so tonight.

Highlighted
Cisco Employee

After disconnecting from AnyConnect ACLs not honored on ISA550W

Hi Eric,

I have updated your case and you should be receiving that soon.

Thanks,

Brandon

Highlighted
Rising star

After disconnecting from AnyConnect ACLs not honored on ISA550W

Hi Eric, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community. I apologize for this inconvenience you are having, Are you running the latest firmware?

Just to make sure the last firmware is 1.1.17 and you can download it in the link bellow.

http://software.cisco.com/download/release.html?mdfid=283445567&softwareid=282728525&release=1.1.14

Also I am interested in your case, if you are not running this firmware, could you please share to us your current firmware?

I hope you find this answer useful

“Please rate useful posts so other users can benefit from it”

Greetings, 
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

“Please rate useful posts so other users can benefit from it” Greetings, Johnnatan Rodriguez Miranda. Cisco Network Support Engineer.
Highlighted
Beginner

After disconnecting from AnyConnect ACLs not honored on ISA550W

Jonathan,

Thank you for your reply. Yes, we are running firmware 1.1.17.