Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
2
Replies

sysopt connection permit-vpn BROKEN???

enkrypter
Level 1
Level 1

‎05-12-2016 05:45 PM

Please help clarify:

I recently updated hardware and code from 5540 to 5545, 9.1(3) to 9.1(6).11

After the upgrade, I noticed the identical configuration on both units had drastically different results when "sysopt connection permit-vpn" is enabled.  (which it is by default)

My desires state of traffic flow on 9.1(3) was that remote originating traffic across an L-2-L VPN, with sysopt enabled, would be filtered by an outbound ALC on my inside interface.  (this is exactly how it functioned)

The undesired state, on the new code, with sysopt still enabled; traffic from the VPN blows right past the inside outbound ACL and gives no honey badgers.  (traffic originating from remote VPN hosts comes into the local ASA and ignores all egress ACLs on any interface)

So I called TAC and they dig this gem up: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz24083

(filed recently)

My crypto-maps are on the outside interface, and from personal experience sysopt is ONLY supposed to ignore ACLs on interfaces that have crypto-maps.  Other interface egress ACLs are still processed.

(inside)[remote ASA](outside) <---- tunnel ----> (outside)[loca ASA](inside) -------> I've been filtering on the inside interface OUT

Here's a cisco thread form 5 years ago that clarifies the same understanding of how I'd like it to work and have observed it working in the past:  https://supportforums.cisco.com/discussion/10919996/sysopt-connection-permit-vpn

The forums are littered with people arguing sysopt functionality, so I agree clarification is needed.  I just want it to work the way I have been using it.  IMHO, the clarified description is NOT desirable.  I have proof that this functionality is different in two versions of the same code tree.

Please for the love of god, please tell me that someone else has had similar experiences with this on newer code and remembers how the old code used to work.  Getting Cisco to classify something as a bug and not a "feature" is like pulling teeth.

Bottom line, I have the same config on different code it operates different.

Thanks for reading.

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-12-2016 10:28 PM

I must admit, I tend to turn "sysopt connection permit-vpn" off, which makes everything use ACL's, which makes everything crystal clear.

0 Helpful

Paul Chapman
Level 4
Level 4
In response to Philip D'Ath

‎05-14-2016 10:55 AM

Hi Guys -

My understanding of this setting was that it bypassed all interface ACLs (ingress or egress).  Even the documentation reflects this idea. (Found Here)  Nothing I've found indicates any tie between this feature and crypto maps.

I find it likely that you were exploiting a code bug and that Cisco fixed it in the new code rev.  I also find it likely that it was not a highly reported issue to Cisco since most ASA admins [that I've spoken to] only use ingress ACLs as this is generally considered a best practice.

I had an 8 hour call with TAC in the last month where the bottom line is that we accidentally exploited a code bug in our configuration and the system broke when we rebooted the ASA.  It's not unheard of, and I do believe that you had a behavior change between code versions.

My recommendation is that you convert your egress ACL to a VPN Filter in your Group Policy to recover the restrictions you previously had.

PSC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents