Solved: FTD site-to-site VPN seems to ignore bypass ACP setting

tato386 · ‎11-05-2023

I have a site-to-site VPN setup between two FTDs that are managed by separate FMCs. I have enabled the bypass access control for decrypted traffic (sysopt permit-vpn) option on both sides of the tunnel. However, when I try to copy files between the sites the files are blocked by a file rule in the ACP. So it seems like the option is not working or being ignored. Is there something I am missing? The FTDs are running v7.2.x code.

Thanks,

tato386 · ‎12-11-2023

After working with TAC on this issue and doing lots of testing, here are the results and takeaways:

1) unlike the ASA platform, on FTD the "bypass ACL" tunnel option (aka sysopt permit-vpn) only affects inbound traffic. The help text next to the option does mention "decrypted" traffic which infers inbound only but it also mentions sysopt permit-vpn which in legacy platforms worked in both directions so IMHO this is a bit confusing.

2) The option *appears* to be a per tunnel option but it is not. If you have more than 1 tunnel configured per FTD device the manual deploy will give you a validation error telling you that all tunnels must use the same setting. Interestingly, FMC will not let you override the validation error during manual deploy but a scheduled deploy will run.

3) When enabled the traffic will not only bypass the ACP but it appears to bypass the entire SNORT engine. While testing I noticed that I could not match this traffic with a prefilter, and no connection events were logged.

HTH,

Diego

View solution in original post

Rob Ingram · ‎11-05-2023

@tato386 it should bypass the ACP inspection. Do you have a VPN filter or DACL applied to the VPN, that will still block the traffic.

Run the command "system support firewall-engine-debug" and filter on SRC/DST, generate some traffic and confirm if traffic is allowed and whether it matches an ACP rule. Provide the output.

And/or run packet-tracer from the CLI to simulate the traffic flow. Provide the output.

Personally I'd recommend not bypassing the ACP and create specific rules per tunnel.

tato386 · ‎11-06-2023

@Rob Ingram there is definitely no VPN filter, and I don't believe I have DACL either because I don't know exactly what that is or how to use it.

I can confirm the traffic is being inspected via both FMC GUI connection events and the debug you recommended (see attachment). The question is why is this happening if both sides of tunnel have bypass enabled? Maybe some other VPN setting is preventing the bypass option from working?

MHM Cisco World · ‎11-06-2023

Check if there is other VPN acl conflict with this VPN acl

Do you use No-NAT?

Thanks A Lot
MHM

tato386 · ‎11-06-2023

update: if I do "show running-config" I don't see "sysopt permit-vpn". Maybe a flexconfig to force that in there?

Rob Ingram · ‎11-06-2023

@tato386 well traffic does appear to be being processed by the ACP, so it looks like the bypass ACP is not working as intended. Possibly this bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh30385 enable globally and try?

Else it does not appear that "sysopt-permit-vpn" is a prohibted command by FlexConfig so give it a try - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/flex-config.html#reference_ztv_qvw_yx

IMO I'd personally explictly permit the VPN traffic via ACP or pre-filter rule.

MHM Cisco World · ‎11-06-2023

show run all

all need to add to see if sysopt permit-vpn

tato386 · ‎11-06-2023

If I do "show run all" I see these two commands:

sysopt connection permit-vpn
sysopt connection reclassify-vpn

which are slightly different than "sysopt permit-vpn".

The bug article is a bit confusing. It says there are no workarounds so does that mean that adding "sysopt permit-vpn" via Flex config will not have the effect I am looking for?

Rob Ingram · ‎11-06-2023

@tato386 I don't have access to a FMC to confirm, but try - Devices > VPN > Remote Access > VPN Profile > Access Interfaces rather than configuring under the tunnel topology.

tato386 · ‎11-06-2023

That seems to be for client VPN and I'm doing site-2-site. I will try Flex config thing tonight and let you know, Thx

Marvin Rhoads · ‎11-07-2023

The sysopt connection permit-vpn setting is global. If it is enabled for any VPN, it will apply to all VPNs on the device. As @Rob Ingram noted, vpn-filter is the only exception that would override this. A packet-tracer or, better yet, system support firewall-engine-debug would be better able to show you exactly where and why the traffic is being blocked.

tato386 · ‎11-07-2023

@Marvin Rhoads we have confirmed the setting is present in the global config and that site to site VPN traffic is being blocked by ACP. What I am trying to figure out is if this is a bug or maybe I am missing something. Right now, I'm leaning towards bug and will probably use a prefitler rules as a workaround.

MHM Cisco World · ‎11-07-2023

As I know Sysop effect inbound direction of traffic not outbound.

If you outbound traffic is drop by ACP (IN direction) apply to inside interface then there is no bug it normal.

tato386 · ‎11-07-2023

The "sysopt connection permit-vpn" command is global and confirmed to be present on both FTDs. Traffic is being blocked in both directions.

MHM Cisco World · ‎11-07-2023

LAN1-FTD1-FTD2-LAN2

if you ping from LAN1 then you need allow traffic in FTD1 inside interface IN direction
you need FTD2 to have sysop-permit

and vice versa

Thanks A Lot
MHM