Hi, I have a strange problem on remote access vpn using sysopt command

ramkumar-n · ‎03-17-2011

I believe if we enable the sysopt for ipsec traffics on the FW then it wont looks for interface ACL and acl will be applied by using of vpn filter on group policy profile.

My problem is like.. the user is connected on vpn from outside and trying to download the file from inside host using scp port..

problem describe

------------------------

checked the syslog server and found that few abnormal deny statements, denied by inside_inbound acl, after that checked with user, he also stated the same while doing scp from the vpn IP 10.0.0.38 to destination ip 10.0.1.157 connection got freeze and customer need to reconnect to established the session. While investigating the configuration adm profile which use admin access acl permitted between these two hosts, i.e. 10.0.1.157 and 10.0.0.38 , am wondering this flow got denied by inside_inbound acl

group-policy adm-group-policy internal

group-policy adm-group-policy attributes

vpn-idle-timeout 15

vpn-filter value adm-access

vpn-tunnel-protocol IPSec

password-storage disable

access-list adm-access remark Allowed Access

access-list adm-access extended permit ip 10.0.0.0 255.255.255.192 10.0.0.0 255.255.252.0

access-list adm-access extended deny ip any any log

ip local pool vpnpool 10.0.0.6-10.0.0.63 mask 255.255.252.0

interface configs

----------------------

interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 19.24.40.15 255.255.255.0

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.1 255.255.252.0

access-list outside_inbound extended deny ip any any log

access-list inside_inbound extended deny ip any any log

access-group outside_inbound in interface outside

access-group inside_inbound in interface inside

Can anyone provide the resolution for this issue which be appreciate.

Thanks

bala020881 · ‎03-17-2011

Dear Ram,

Can you please share the output of show run | i sysopt to know about your config.

Regards

BR

ramkumar-n · ‎03-17-2011

Please find the sysopt output

cisco# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
sysopt nodnsalias inbound
sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt noproxyarp yellow
no sysopt noproxyarp devyellow
no sysopt noproxyarp management
cisco#

bala020881 · ‎03-17-2011

Dear Ram,

I see that you configured some acl for the VPN users and you have sysopt permit-vpn which is inconsistence. Because if you enable sysopt permit-vpn which permit any packets that come from an IPsec tunnel without checking any access lists for interface.

Normally if you have these below sysopt configured it would be sufficient.

sysopt connection tcpmss 1280
sysopt noproxyarp outside
sysopt noproxyarp inside

Can you give more information about your problem so that I can help further.

Thanks

ramkumar-n · ‎03-17-2011

Dear Bala,

You are right, when the customer is connected on vpn, after that they are trying to download some file using scp sometime interface acl (inside_inbound ACL) is denied the packet which not suppose to look at the interface acl since the packet is coming from ipsec tunnel.

After that user got freeze and he need to reconnect the vpn to work.

Can you pls clarify me how inbound and outbound traffic will work on group policy profile vpn filter attributes? is like bi-directional or uni-directional ? and if you can find where this is cause the problem.

Thanks

bala020881 · ‎03-17-2011

Dear Ram,

This happens only for the SCP file transfer?? connection.

can you share the output of show run | i df-bit

Thanks

ramkumar-n · ‎03-18-2011

yes, its for scp connection only...

cisco# sh run | in df-bit

cisco#