Solved: Re: FTD site-to-site VPN seems to ignore bypass ACP setting - Page 2

tato386 · ‎11-05-2023

I have a site-to-site VPN setup between two FTDs that are managed by separate FMCs. I have enabled the bypass access control for decrypted traffic (sysopt permit-vpn) option on both sides of the tunnel. However, when I try to copy files between the sites the files are blocked by a file rule in the ACP. So it seems like the option is not working or being ignored. Is there something I am missing? The FTDs are running v7.2.x code.

Thanks,

tato386 · ‎11-07-2023

@MHM Cisco World yes, as I stated before, both FTDs have "syspopt connection permit-vpn" enabled and I can certainly ping across the site-2-site VPN. However, the ACP on the FTDs are designed to protect internal clients and servers from the Internet. The default action is "block all traffic" and only certain protocols are allowed to pass the ACP. I also have file block rule in place that scans and/or blocks files like .exe that might be downloaded by clients from the Internet.

I do not want or need LAN to LAN traffic being scanned or blocked and that's where sysopt permit-vpn should come into play. However, it is not working (due to a bug I think) and file xfers and other protocols are being subject to ACP scans and blocking.

Rob Ingram · ‎11-07-2023

@tato386 what type of VPN do you have, policy or routed based?

sysopt connection permit-vpn does not work with Route Based VPN tunnels. https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd94907

If not, perhaps time to raise a TAC call.

tato386 · ‎11-07-2023

I am using policy based (Crypto Map) so yeah, I'll give TAC a call.

MHM Cisco World · ‎11-07-2023

Can I see the acp you use.

Thanks A Lot
MHM

tato386 · ‎11-07-2023

@MHM Cisco World I am sure we can work around this problem by making changes to the ACP or using pre-filter rules but the thing is I would rather not do this. So it doesn't really matter what the ACP looks like, sysopt permit-vpn should bypass it and it is not doing that.

tato386 · ‎12-11-2023

After working with TAC on this issue and doing lots of testing, here are the results and takeaways:

1) unlike the ASA platform, on FTD the "bypass ACL" tunnel option (aka sysopt permit-vpn) only affects inbound traffic. The help text next to the option does mention "decrypted" traffic which infers inbound only but it also mentions sysopt permit-vpn which in legacy platforms worked in both directions so IMHO this is a bit confusing.

2) The option *appears* to be a per tunnel option but it is not. If you have more than 1 tunnel configured per FTD device the manual deploy will give you a validation error telling you that all tunnels must use the same setting. Interestingly, FMC will not let you override the validation error during manual deploy but a scheduled deploy will run.

3) When enabled the traffic will not only bypass the ACP but it appears to bypass the entire SNORT engine. While testing I noticed that I could not match this traffic with a prefilter, and no connection events were logged.

HTH,

Diego

MHM Cisco World · ‎12-11-2023

only affects inbound traffic

same what I mention before.

thanks a lot for update us
have a nice day
MHM

MSJ1 · ‎02-26-2024

at the moment Enhancement request submitted to Cisco to fix this issue. No resolution unless you remove the bypass option from all VPN Config and make sure required rules are in place.

@MHM Cisco World @Marvin Rhoads @Rob Ingram @tato386

https://bst.cisco.com/bugsearch/bug/CSCwh30385?rfs=qvlogin