11-05-2023 01:50 PM
I have a site-to-site VPN setup between two FTDs that are managed by separate FMCs. I have enabled the bypass access control for decrypted traffic (sysopt permit-vpn) option on both sides of the tunnel. However, when I try to copy files between the sites the files are blocked by a file rule in the ACP. So it seems like the option is not working or being ignored. Is there something I am missing? The FTDs are running v7.2.x code.
Thanks,
Solved! Go to Solution.
12-11-2023 09:43 AM
After working with TAC on this issue and doing lots of testing, here are the results and takeaways:
1) unlike the ASA platform, on FTD the "bypass ACL" tunnel option (aka sysopt permit-vpn) only affects inbound traffic. The help text next to the option does mention "decrypted" traffic which infers inbound only but it also mentions sysopt permit-vpn which in legacy platforms worked in both directions so IMHO this is a bit confusing.
2) The option *appears* to be a per tunnel option but it is not. If you have more than 1 tunnel configured per FTD device the manual deploy will give you a validation error telling you that all tunnels must use the same setting. Interestingly, FMC will not let you override the validation error during manual deploy but a scheduled deploy will run.
3) When enabled the traffic will not only bypass the ACP but it appears to bypass the entire SNORT engine. While testing I noticed that I could not match this traffic with a prefilter, and no connection events were logged.
HTH,
Diego
11-05-2023 02:01 PM - edited 11-05-2023 02:23 PM
@tato386 it should bypass the ACP inspection. Do you have a VPN filter or DACL applied to the VPN, that will still block the traffic.
Run the command "system support firewall-engine-debug" and filter on SRC/DST, generate some traffic and confirm if traffic is allowed and whether it matches an ACP rule. Provide the output.
And/or run packet-tracer from the CLI to simulate the traffic flow. Provide the output.
Personally I'd recommend not bypassing the ACP and create specific rules per tunnel.
11-06-2023 06:05 AM
@Rob Ingram there is definitely no VPN filter, and I don't believe I have DACL either because I don't know exactly what that is or how to use it.
I can confirm the traffic is being inspected via both FMC GUI connection events and the debug you recommended (see attachment). The question is why is this happening if both sides of tunnel have bypass enabled? Maybe some other VPN setting is preventing the bypass option from working?
11-06-2023 06:14 AM
Check if there is other VPN acl conflict with this VPN acl
Do you use No-NAT?
Thanks A Lot
MHM
11-06-2023 06:18 AM
update: if I do "show running-config" I don't see "sysopt permit-vpn". Maybe a flexconfig to force that in there?
11-06-2023 06:25 AM - edited 11-06-2023 06:28 AM
@tato386 well traffic does appear to be being processed by the ACP, so it looks like the bypass ACP is not working as intended. Possibly this bug - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh30385 enable globally and try?
Else it does not appear that "sysopt-permit-vpn" is a prohibted command by FlexConfig so give it a try - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/flex-config.html#reference_ztv_qvw_yx
IMO I'd personally explictly permit the VPN traffic via ACP or pre-filter rule.
11-06-2023 06:27 AM
show run all
all need to add to see if sysopt permit-vpn
11-06-2023 09:17 AM
If I do "show run all" I see these two commands:
sysopt connection permit-vpn
sysopt connection reclassify-vpn
which are slightly different than "sysopt permit-vpn".
The bug article is a bit confusing. It says there are no workarounds so does that mean that adding "sysopt permit-vpn" via Flex config will not have the effect I am looking for?
11-06-2023 09:31 AM
@tato386 I don't have access to a FMC to confirm, but try - Devices > VPN > Remote Access > VPN Profile > Access Interfaces rather than configuring under the tunnel topology.
11-06-2023 01:03 PM
That seems to be for client VPN and I'm doing site-2-site. I will try Flex config thing tonight and let you know, Thx
11-07-2023 05:40 AM
The sysopt connection permit-vpn setting is global. If it is enabled for any VPN, it will apply to all VPNs on the device. As @Rob Ingram noted, vpn-filter is the only exception that would override this. A packet-tracer or, better yet, system support firewall-engine-debug would be better able to show you exactly where and why the traffic is being blocked.
11-07-2023 07:50 AM
@Marvin Rhoads we have confirmed the setting is present in the global config and that site to site VPN traffic is being blocked by ACP. What I am trying to figure out is if this is a bug or maybe I am missing something. Right now, I'm leaning towards bug and will probably use a prefitler rules as a workaround.