Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
0
Helpful
3
Replies

VPN DAP policy

Gonzo1
Level 1
Level 1

‎03-14-2018 09:32 AM - edited ‎03-12-2019 05:06 AM

Hello,

 

I have a DAP policy that is working almost as it should.  I've got 4 DAP policies and I had to create one for a specific external company based on 2 usernames.  If they log in they can only get to one server and it works.  What is strange is in the DAP trace as it shows 2 DAP policies, one I don't want them using, which on testing they are not.

 

At the bottom of the trace it shows 2 DAPs, why?

 


DAP_TRACE: Username: bob, Selected DAPs: ,DAP-Policy-123,mydap-DAP-Policy
DAP_TRACE: dap_process_selected_daps: selected 2 records
DAP_TRACE: Username: bob, dap_aggregate_attr: rec_count = 2
DAP_TRACE[128]: DAP ACL Aggregate: Classifying mydap-vpn: priority=0, sense=0(White), Denies=0, Permits=11
DAP_TRACE: Username: bob, DAP_close: 91

 

What I really want to do is if they hit their DAP which is top and don't meet the requirements then terminate, but it seems to continue and I think try our corporate DAP policy too (DAP-Policy-123). Although they do seem to be locked down to the DAP I've configured them.

 

Thing is I don't what to cause issues with the corporate users (DAP-Policy-123).

 

Any advise would be great.

 

Labels:
0 Helpful
3 Replies 3

GioGonza
Level 4
Level 4

‎03-14-2018 09:42 AM

Hello @Gonzo1

 

The thing with the DAP policies is that for every connection, the entire policies are checked by the ASA and it will merge the policies once it matches different priorities. There is no configuration you can apply to tell the ASA to select the first it matches and then terminate checking the others. 

 

HTH

Gio

0 Helpful

Gonzo1
Level 1
Level 1
In response to GioGonza

‎03-14-2018 09:49 AM

Thanks.

 

It seems to work based on the first DAP they see which uses a ACL to only allow them to a certain server, which is how I want it.  I've just tested it and even though both DAPs are mentioned in the trace they can't get to other areas which the last DAP in the trace does allow.  So I'm a little confused, but please it works how it should do.

 

If I had 10 DAPs and they matched the 1st I assume it then drills through the other 9, but won't apply those ones if they don't match anything?

 

Just don't understand why they get 2 from the 4 I have.

0 Helpful

GioGonza
Level 4
Level 4
In response to Gonzo1

‎03-15-2018 01:10 PM

Hello @Gonzo1,

 

Based on your response, if they are landing on the correct DAP policy and they are allowed only to got the ACL configured in that policy, that´s OK. Now, for the second policy... What do you have configured? 

 

Like I said, if you have another ACL on the second one the ASA will do a merge and apply both of them but if you only have the second for authentication (check something on the machine for example) that´s what the ASA does in this case. 

 

Basically, that depends on what you have configured on the selected DAP policies. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents