cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
681
Views
0
Helpful
3
Replies

VPN DAP policy

Gonzo1
Level 1
Level 1

Hello,

 

I have a DAP policy that is working almost as it should.  I've got 4 DAP policies and I had to create one for a specific external company based on 2 usernames.  If they log in they can only get to one server and it works.  What is strange is in the DAP trace as it shows 2 DAP policies, one I don't want them using, which on testing they are not.

 

At the bottom of the trace it shows 2 DAPs, why?

 


DAP_TRACE: Username: bob, Selected DAPs: ,DAP-Policy-123,mydap-DAP-Policy
DAP_TRACE: dap_process_selected_daps: selected 2 records
DAP_TRACE: Username: bob, dap_aggregate_attr: rec_count = 2
DAP_TRACE[128]: DAP ACL Aggregate: Classifying mydap-vpn: priority=0, sense=0(White), Denies=0, Permits=11
DAP_TRACE: Username: bob, DAP_close: 91

 

What I really want to do is if they hit their DAP which is top and don't meet the requirements then terminate, but it seems to continue and I think try our corporate DAP policy too (DAP-Policy-123). Although they do seem to be locked down to the DAP I've configured them.

 

Thing is I don't what to cause issues with the corporate users (DAP-Policy-123).

 

Any advise would be great.

 

3 Replies 3

GioGonza
Level 4
Level 4

Hello @Gonzo1

 

The thing with the DAP policies is that for every connection, the entire policies are checked by the ASA and it will merge the policies once it matches different priorities. There is no configuration you can apply to tell the ASA to select the first it matches and then terminate checking the others. 

 

HTH

Gio

Thanks.

 

It seems to work based on the first DAP they see which uses a ACL to only allow them to a certain server, which is how I want it.  I've just tested it and even though both DAPs are mentioned in the trace they can't get to other areas which the last DAP in the trace does allow.  So I'm a little confused, but please it works how it should do.

 

If I had 10 DAPs and they matched the 1st I assume it then drills through the other 9, but won't apply those ones if they don't match anything?

 

Just don't understand why they get 2 from the 4 I have.

Hello @Gonzo1,

 

Based on your response, if they are landing on the correct DAP policy and they are allowed only to got the ACL configured in that policy, that´s OK. Now, for the second policy... What do you have configured? 

 

Like I said, if you have another ACL on the second one the ASA will do a merge and apply both of them but if you only have the second for authentication (check something on the machine for example) that´s what the ASA does in this case. 

 

Basically, that depends on what you have configured on the selected DAP policies. 

 

HTH

Gio