Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3222
Views
0
Helpful
8
Replies

IPsec VPN not working after upgrade to 8.4.7

majedalanni
Level 1
Level 1

‎02-13-2014 08:38 AM - edited ‎02-21-2020 07:30 PM

Hi

Here is some small digram of my firewalls

LAN ---- FW(A) ----- S2S Tunnel ------- FW (B)------------------ LAN

                  |                                                                  |

                   --------- Cisco VPN need to be run -------------

I used to run that VPN for more than three years with no issue, but after upgrading FW (A) from 8.2.5 to 8.4.7 I got below error msg






Group = XXXX, Username = XXXX, IP = x..x.x.x, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.

Please does any body have any clue about it and I solve that?

Mike

Labels:
0 Helpful
8 Replies 8

laramire2
Level 1
Level 1

‎02-13-2014 12:50 PM

Hello Mike,

Basically, in older versions, when you hit a static crypto map and you did not match that static crypto map completely the connection continues until the dynamic crypto map. For that reason you could connect your IPSec clients before. A bug was opened about this vulnerability.

CSCuc75090  Bug Details

Crypto IPSec SA's are created by dynamic crypto map for static peers

Symptom:

When a static VPN peer adds any traffic to the crypto ACL, an SA is built even though the IP pair is not allowed in the crypto acl at the main side. Those SA's are eventually matched and  setup by the dynamic crypto map instance.

Conditions:

This was a intended design since day one that enabled customers to fall through in case of static crypto map didn't provide a needed crypto services.

The SA need to be initiated from a statically configured peer and a dynamic crypto map instance must be configured on the receiving end.

Workaround:

N/A

Meaning, if you are on the local network and would like to reach any host on the remote site you could use the L2L tunnel that is already established with the remote peer. However, if you are on any other external network you will need to use the VPN client to connect to the sites.

I hope this helps.

Luis.

0 Helpful

majedalanni
Level 1
Level 1
In response to laramire2

‎02-13-2014 12:52 PM

but That bug should be resolved in 8.4.6, looks it still there

0 Helpful

laramire2
Level 1
Level 1
In response to majedalanni

‎02-13-2014 01:23 PM

Mike,

That's correct. This is actually a vulnerability and it could be affecting your version as well.

Please let me know if you have any other question.

Luis.

0 Helpful

dgierke
Level 1
Level 1

‎02-26-2014 11:04 AM

I'm hitting the same issue. Do we have a workaround so that VPN still works from a remote site-to-site VPN connected office, my users can still client VPN into the ASA at the HQ?

Do I just need to add and entry on my "crypto dynamic-map outside_dyn_map" for each remote office public IP that I have site-to-site tunnel built too?

0 Helpful

laramire2
Level 1
Level 1
In response to dgierke

‎02-26-2014 12:12 PM

Hi,

Well, actually the main question is why you need to use the VPN client to connect to a remote site if you already have a L2L established with that site? Meaning, if you are located inside of any of the VPN endpoints you could use the L2L to reach the remote site. However, if you are on any other external network you will be able to connect to any of the sites using the VPN client.

This is basically why Cisco created this vulnerability, it does not make sense to have multiple IPSec connections with the same peer. Then, if you need to allow more networks for the users, you just need to include them on the VPN traffic of the L2L.

Please let me know if you have any other question.

Luis.

0 Helpful

majedalanni
Level 1
Level 1
In response to laramire2

‎03-05-2014 01:15 PM

I'm goint to tell you why do I need that remote VPN. I used that VPN to acess al my network from the HQ firewall and I don't need my lan client access the other network too. my HQ network is like start network and only that VPN can access them all

0 Helpful

majedalanni
Level 1
Level 1
In response to dgierke

‎03-05-2014 01:12 PM

I did a static nat that when trying to use the remote VPN so it is hit the other firewall with different IP of the tunnel,

so you need to create a nat from the inside interface to the outside interface with source nat to any outside IP address other that the outside interface.

hope this helps

Mike

0 Helpful

laramire2
Level 1
Level 1
In response to majedalanni

‎03-05-2014 02:48 PM

Hello Mike,

Thanks for the information!

That would be a good workaround but it will depend of how many public ip addresses you have available, also if you really want to spend one of those ip addresses for that access. Based on your requirements I was thinking that you could use AnyConnect instead of IPSec VPN client. I do not know how many users need to connect from your HQs to the remote site, but the ASA has 2 available SSL licenses that you could use. Since Anyconnect uses SSL protocol it will not cause any problems on your environment.

Below some information:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_anyconnect.html

Hope this helps,

Luis.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents