ā11-05-2023 01:50 PM
I have a site-to-site VPN setup between two FTDs that are managed by separate FMCs. I have enabled the bypass access control for decrypted traffic (sysopt permit-vpn) option on both sides of the tunnel. However, when I try to copy files between the sites the files are blocked by a file rule in the ACP. So it seems like the option is not working or being ignored. Is there something I am missing? The FTDs are running v7.2.x code.
Thanks,
Solved! Go to Solution.
ā12-11-2023 09:43 AM
After working with TAC on this issue and doing lots of testing, here are the results and takeaways:
1) unlike the ASA platform, on FTD the "bypass ACL" tunnel option (aka sysopt permit-vpn) only affects inbound traffic. The help text next to the option does mention "decrypted" traffic which infers inbound only but it also mentions sysopt permit-vpn which in legacy platforms worked in both directions so IMHO this is a bit confusing.
2) The option *appears* to be a per tunnel option but it is not. If you have more than 1 tunnel configured per FTD device the manual deploy will give you a validation error telling you that all tunnels must use the same setting. Interestingly, FMC will not let you override the validation error during manual deploy but a scheduled deploy will run.
3) When enabled the traffic will not only bypass the ACP but it appears to bypass the entire SNORT engine. While testing I noticed that I could not match this traffic with a prefilter, and no connection events were logged.
HTH,
Diego
ā11-05-2023 02:01 PM - edited ā11-05-2023 02:23 PM
@tato386 it should bypass the ACP inspection. Do you have a VPN filter or DACL applied to the VPN, that will still block the traffic.
Run the command "system support firewall-engine-debug" and filter on SRC/DST, generate some traffic and confirm if traffic is allowed and whether it matches an ACP rule. Provide the output.
And/or run packet-tracer from the CLI to simulate the traffic flow. Provide the output.
Personally I'd recommend not bypassing the ACP and create specific rules per tunnel.
ā11-06-2023 06:05 AM
@Rob Ingram there is definitely no VPN filter, and I don't believe I have DACL either because I don't know exactly what that is or how to use it.
I can confirm the traffic is being inspected via both FMC GUI connection events and the debug you recommended (see attachment). The question is why is this happening if both sides of tunnel have bypass enabled? Maybe some other VPN setting is preventing the bypass option from working?
ā11-06-2023 06:14 AM
Check if there is other VPN acl conflict with this VPN acl
Do you use No-NAT?
Thanks A Lot
MHM
ā11-06-2023 06:18 AM
update: if I do "show running-config" I don't see "sysopt permit-vpn". Maybe a flexconfig to force that in there?
ā11-06-2023 06:25 AM - edited ā11-06-2023 06:28 AM
@tato386 well traffic does appear to be being processed by the ACP, so it looks like the bypass ACP is not working as intended. Possibly this bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh30385 enable globally and try?
Else it does not appear that "sysopt-permit-vpn" is a prohibted command by FlexConfig so give it a try - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/flex-config.html#reference_ztv_qvw_yx
IMO I'd personally explictly permit the VPN traffic via ACP or pre-filter rule.
ā11-06-2023 06:27 AM
show run all
all need to add to see if sysopt permit-vpn
ā11-06-2023 09:17 AM
If I do "show run all" I see these two commands:
sysopt connection permit-vpn
sysopt connection reclassify-vpn
which are slightly different than "sysopt permit-vpn".
The bug article is a bit confusing. It says there are no workarounds so does that mean that adding "sysopt permit-vpn" via Flex config will not have the effect I am looking for?
ā11-06-2023 09:31 AM
@tato386 I don't have access to a FMC to confirm, but try - Devices > VPN > Remote Access > VPN Profile > Access Interfaces rather than configuring under the tunnel topology.
ā11-06-2023 01:03 PM
That seems to be for client VPN and I'm doing site-2-site. I will try Flex config thing tonight and let you know, Thx
ā11-07-2023 05:40 AM
The sysopt connection permit-vpn setting is global. If it is enabled for any VPN, it will apply to all VPNs on the device. As @Rob Ingram noted, vpn-filter is the only exception that would override this. A packet-tracer or, better yet, system support firewall-engine-debug would be better able to show you exactly where and why the traffic is being blocked.
ā11-07-2023 07:50 AM
@Marvin Rhoads we have confirmed the setting is present in the global config and that site to site VPN traffic is being blocked by ACP. What I am trying to figure out is if this is a bug or maybe I am missing something. Right now, I'm leaning towards bug and will probably use a prefitler rules as a workaround.
ā11-07-2023 07:59 AM
As I know Sysop effect inbound direction of traffic not outbound.
If you outbound traffic is drop by ACP (IN direction) apply to inside interface then there is no bug it normal.
ā11-07-2023 08:35 AM
The "sysopt connection permit-vpn" command is global and confirmed to be present on both FTDs. Traffic is being blocked in both directions.
ā11-07-2023 08:42 AM
LAN1-FTD1-FTD2-LAN2
if you ping from LAN1 then you need allow traffic in FTD1 inside interface IN direction
you need FTD2 to have sysop-permit
and vice versa
Thanks A Lot
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide