04-11-2024 12:06 PM
I have 4 locations that have a site to site tunnel back to our main office.
occasionally, someone on one of the remote networks will VPN in with AnyConnect, and basically cause a network loop that brings a majority of the network at the remote site down.
is it possible to deny the IP Addresses of the remote sites the ability to create an Anyconnect connection without breaking the existing site to site tunnels?
Solved! Go to Solution.
04-11-2024 12:09 PM
@Lee Dress you could create a control-plane ACL assigned to the outside interface and deny connections from your remote site network ranges and then permit all other traffic.
04-11-2024 12:09 PM
@Lee Dress you could create a control-plane ACL assigned to the outside interface and deny connections from your remote site network ranges and then permit all other traffic.
04-15-2024 05:56 AM
I did the block at the edge router for the port.
it was easier then all the flexconfig stuff you need to do at the firepower device.
I made a group of all my remote location IP addresses, and explicitly denied the vpn port.
thank you for the help
04-11-2024 12:14 PM
I don't know how loop occur, can you more elaborate
MHM
04-11-2024 12:23 PM
Rob,
Since the site has a site to site tunnel, wouldn't that break the tunnel?
we use port 7443 for our vpn, so maybe I could make the ACL just for that port? I could possibly just do this at the edge router if that would work.
MHM,
we have 2 outside interfaces that accept VPN connections, all of our site to site tunnels are on one interface (i.e eth1)
people anyconnect VPN in mostly through the other interface (ie. eth2)
I believe this is the cause of the loop. I'm not sure exactly, but I've had someone vpn in from one remote site, and 80% of their network went down. when the vpn session was disconnected, the site came back up.
04-11-2024 12:27 PM
@Lee Dress yes, explictly deny the SSL port (7443) and permit all other port(s), allowing the S2S VPN etc.
I've not heard/seen a single RAVPN cause a problem with a S2S VPN though tbh.
04-11-2024 12:31 PM
Thanks.
04-11-2024 12:27 PM
Is vpn subnet conflict with remote lan?
MHM
04-11-2024 12:33 PM
no.
I'll try Rob's solution.
there's no reason someone in a remote office with a tunnel should VPN in anyway. I'm just trying to eliminate the possibilty.
It doesn't make sense to me either but it is consistently reproducible. so I want to eliminate the ability of anyone even trying.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide