cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2847
Views
10
Helpful
22
Replies

FTD site-to-site VPN seems to ignore bypass ACP setting

tato386
Level 6
Level 6

I have a site-to-site VPN setup between two FTDs that are managed by separate FMCs.  I have enabled the bypass access control for decrypted traffic (sysopt permit-vpn) option on both sides of the tunnel.  However, when I try to copy files between the sites the files are blocked by a file rule in the ACP.  So it seems like the option is not working or being ignored.  Is there something I am missing? The FTDs are running  v7.2.x code.

Thanks,

1 Accepted Solution

Accepted Solutions

tato386
Level 6
Level 6

After working with TAC on this issue and doing lots of testing, here are the results and takeaways:

1) unlike the ASA platform, on FTD the "bypass ACL" tunnel option (aka sysopt permit-vpn) only affects inbound traffic. The help text next to the option does mention "decrypted" traffic which infers inbound only but it also mentions sysopt permit-vpn which in legacy platforms worked in both directions so IMHO this is a bit confusing.

2) The option *appears* to be a per tunnel option but it is not.  If you have more than 1 tunnel configured per FTD device the manual deploy will give you a validation error telling you that all tunnels must use the same setting.  Interestingly, FMC will not let you override the validation error during manual deploy but a scheduled deploy will run. 

3) When enabled the traffic will not only bypass the ACP but it appears to bypass the entire SNORT engine.  While testing I noticed that I could not match this traffic with a prefilter, and no connection events were logged.

HTH,

Diego

View solution in original post

22 Replies 22

@tato386 it should bypass the ACP inspection. Do you have a VPN filter or DACL applied to the VPN, that will still block the traffic.

Run the command "system support firewall-engine-debug" and filter on SRC/DST, generate some traffic and confirm if traffic is allowed and whether it matches an ACP rule. Provide the output.

And/or run packet-tracer from the CLI to simulate the traffic flow. Provide the output.

Personally I'd recommend not bypassing the ACP and create specific rules per tunnel.

@Rob Ingram there is definitely no VPN filter, and I don't believe I have DACL either because I don't know exactly what that is or how to use it. 

I can confirm the traffic is being inspected via both FMC GUI connection events and the debug you recommended (see attachment).  The question is why is this happening if both sides of tunnel have bypass enabled?  Maybe some other VPN setting is preventing the bypass option from working?

 

Check if there is other VPN acl conflict with this VPN acl

Do you use No-NAT?

 

Thanks A Lot
MHM

update:  if I do "show running-config" I don't see "sysopt permit-vpn".  Maybe a flexconfig to force that in there?

@tato386 well traffic does appear to be being processed by the ACP, so it looks like the bypass ACP is not working as intended. Possibly this bug -  https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh30385 enable globally and try?

Else it does not appear that "sysopt-permit-vpn" is a prohibted command by FlexConfig so give it a try - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/flex-config.html#reference_ztv_qvw_yx

IMO I'd personally explictly permit the VPN traffic via ACP or pre-filter rule.

 

show run all 

all need to add to see if sysopt permit-vpn

tato386
Level 6
Level 6

If I do "show run all" I see these two commands:

sysopt connection permit-vpn
sysopt connection reclassify-vpn

which are slightly different than "sysopt permit-vpn".

The bug article is a bit confusing.  It says there are no workarounds so does that mean that adding "sysopt permit-vpn" via Flex config will not have the effect I am looking for?

@tato386 I don't have access to a FMC to confirm, but try - Devices > VPN > Remote Access > VPN Profile > Access Interfaces rather than configuring under the tunnel topology.

That seems to be for client VPN and I'm doing site-2-site.  I will try Flex config thing tonight and let you know,  Thx

The sysopt connection permit-vpn setting is global. If it is enabled for any VPN, it will apply to all VPNs on the device. As @Rob Ingram noted, vpn-filter is the only exception that would override this. A packet-tracer or, better yet, system support firewall-engine-debug would be better able to show you exactly where and why the traffic is being blocked.

@Marvin Rhoads we have confirmed the setting is present in the global config and that site to site VPN traffic is being blocked by ACP.  What I am trying to figure out is if this is a bug or maybe I am missing something.  Right now, I'm leaning towards bug and will probably use a prefitler rules as a workaround.  

As I know Sysop effect inbound  direction of traffic not outbound.

If you outbound traffic is drop by ACP (IN direction) apply to inside interface then there is no bug it normal.

The "sysopt connection permit-vpn" command is global and confirmed to be present on both FTDs.  Traffic is being blocked in both directions.  

LAN1-FTD1-FTD2-LAN2

if you ping from LAN1 then you need allow traffic in FTD1 inside interface IN direction 
you need FTD2 to have sysop-permit 

and vice versa

Thanks A Lot
MHM