11-05-2023 01:50 PM
I have a site-to-site VPN setup between two FTDs that are managed by separate FMCs. I have enabled the bypass access control for decrypted traffic (sysopt permit-vpn) option on both sides of the tunnel. However, when I try to copy files between the sites the files are blocked by a file rule in the ACP. So it seems like the option is not working or being ignored. Is there something I am missing? The FTDs are running v7.2.x code.
Thanks,
Solved! Go to Solution.
11-07-2023 11:03 AM
@MHM Cisco World yes, as I stated before, both FTDs have "syspopt connection permit-vpn" enabled and I can certainly ping across the site-2-site VPN. However, the ACP on the FTDs are designed to protect internal clients and servers from the Internet. The default action is "block all traffic" and only certain protocols are allowed to pass the ACP. I also have file block rule in place that scans and/or blocks files like .exe that might be downloaded by clients from the Internet.
I do not want or need LAN to LAN traffic being scanned or blocked and that's where sysopt permit-vpn should come into play. However, it is not working (due to a bug I think) and file xfers and other protocols are being subject to ACP scans and blocking.
11-07-2023 11:28 AM
@tato386 what type of VPN do you have, policy or routed based?
sysopt connection permit-vpn does not work with Route Based VPN tunnels. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd94907
If not, perhaps time to raise a TAC call.
11-07-2023 12:00 PM
I am using policy based (Crypto Map) so yeah, I'll give TAC a call.
11-07-2023 11:31 AM
Can I see the acp you use.
Thanks A Lot
MHM
11-07-2023 12:03 PM
@MHM Cisco World I am sure we can work around this problem by making changes to the ACP or using pre-filter rules but the thing is I would rather not do this. So it doesn't really matter what the ACP looks like, sysopt permit-vpn should bypass it and it is not doing that.
12-11-2023 09:43 AM
After working with TAC on this issue and doing lots of testing, here are the results and takeaways:
1) unlike the ASA platform, on FTD the "bypass ACL" tunnel option (aka sysopt permit-vpn) only affects inbound traffic. The help text next to the option does mention "decrypted" traffic which infers inbound only but it also mentions sysopt permit-vpn which in legacy platforms worked in both directions so IMHO this is a bit confusing.
2) The option *appears* to be a per tunnel option but it is not. If you have more than 1 tunnel configured per FTD device the manual deploy will give you a validation error telling you that all tunnels must use the same setting. Interestingly, FMC will not let you override the validation error during manual deploy but a scheduled deploy will run.
3) When enabled the traffic will not only bypass the ACP but it appears to bypass the entire SNORT engine. While testing I noticed that I could not match this traffic with a prefilter, and no connection events were logged.
HTH,
Diego
12-11-2023 09:50 AM
only affects inbound traffic
same what I mention before.
thanks a lot for update us
have a nice day
MHM
02-26-2024 09:32 AM
at the moment Enhancement request submitted to Cisco to fix this issue. No resolution unless you remove the bypass option from all VPN Config and make sure required rules are in place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide