cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
0
Helpful
1
Replies

Bizarre VPN behavior with Cymphonix Web Filtering Device

patrick.peters
Level 1
Level 1

We just purchased some Cymphonix web filtering devices.  These devices sit in-line (as a bridge) on the way from our internal network to the inside interface of our failover pair of 5520 ASAs.  The ASAs are active/passive, single context.  The software rev is 8.4(2).

We run about 320 site-to-site VPNs as well as AnyConnect VPNs to our ASAs.  When I brought the Cymphonix devices in-line, all appeared to be working.  Traffic was flowing out to the internet from our internal network.  I was seeing stats and analysys from the Cymphonix device.  However, after a few minutes, almost all of our VPNs went down (both site-to-site and Anyconnect).  Traffic from the internal network to the internet was still working fine.  When I tried to re-establish an Anyconnect VPN using my laptop on an outside connection, it failed.  The message said the ASA "rejected" the connection.  I turned up some debug on the ASA and got messages that included text like "internal error".  Once I cabled the inside of the ASA directly back to the switch instead of going through the Cymphonix (and rebooted the ASA, just to be safe), the VPNs came back up.

I'm scratching my head, to put it mildly.  A VPN is negotiated to the ASA.  The traffic involved in establishing and maintaining the VPN will never see the Cymphonix box because the ASA processes it and it goes no further.  So, how can connecting something to the inside interface of the ASA cause the VPNs to crumble?  I should be able to connect anything I want or nothing at all to the inside of the ASA and it shouldn't matter one bit to the health of the VPNs.  Here's another twist:  all of the traffic that comes out of those site-to-site VPNs is delivered to an interface other than the inside (traffic from our customers is delivered to an isolated part of our network).  So the inside interface is even more "uninvolved" in those site-to-site VPNs.

Traffic from the internal network out to the internet was flowing fine.  Basic functionality was fine.  Since I first tried this, I've wondered if I should have used a cross-over cable, but I find that hard to accept as a problem.  How could non-VPN traffic be working fine our to the internet if I needed a cross-over cable?  I'm reasonably certain the interfaces on the ASA are supposed to support auto-MDIX anyway.

Anybody have an idea of where to start on this one?

Thanks

Patrick

1 Reply 1

m.kafka
Level 4
Level 4

Hi Patrick,

I appreciate that you seek help here but assumptions alone won't bring anyone any further.

To help us to help you: include the debugs, I mean more details than "some debug included the message internal error"

Give us details (sanitize usernames, passwords, public addresses) and logs resp. debug output.

Networks are deterministic, the art is to understand how things are determined.

Regards,

MiKa