Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
298
Views
0
Helpful
8
Replies

Users attempting anyconnect VPN while on a site to site tunnel

Go to solution
Lee Dress
Level 1
Level 1

‎04-11-2024 12:06 PM

I have 4 locations that have a site to site tunnel back to our main office.

occasionally, someone on one of the remote networks will VPN in with AnyConnect, and basically cause a network loop that brings a majority of the network at the remote site down.

is it possible to deny the IP Addresses of the remote sites the ability to create an Anyconnect connection without breaking the existing site to site tunnels?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-11-2024 12:09 PM

@Lee Dress you could create a control-plane ACL assigned to the outside interface and deny connections from your remote site network ranges and then permit all other traffic.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎04-11-2024 12:09 PM

@Lee Dress you could create a control-plane ACL assigned to the outside interface and deny connections from your remote site network ranges and then permit all other traffic.

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221457-configure-control-plane-access-control-p.html

 

0 Helpful

Go to solution
Lee Dress
Level 1
Level 1
In response to Rob Ingram

‎04-15-2024 05:56 AM

I did the block at the edge router for the port.

it was easier then all the flexconfig stuff you need to do at the firepower device.

I made a group of all my remote location IP addresses, and explicitly denied the vpn port.

thank you for the help

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-11-2024 12:14 PM

I don't know how loop occur, can you more elaborate

MHM

0 Helpful

Go to solution
Lee Dress
Level 1
Level 1

‎04-11-2024 12:23 PM

Rob,

Since the site has a site to site tunnel, wouldn't that break the tunnel?

we use port 7443 for our vpn, so maybe I could make the ACL just for that port?  I could possibly just do this at the edge router if that would work.

MHM,

we have 2 outside interfaces that accept VPN connections, all of our site to site tunnels are on one interface (i.e eth1)

people anyconnect VPN in mostly through the other interface (ie. eth2)

I believe this is the cause of the loop.  I'm not sure exactly, but I've had someone vpn in from one remote site, and 80% of their network went down.  when the vpn session was disconnected, the site came back up.

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Lee Dress

‎04-11-2024 12:27 PM

@Lee Dress yes, explictly deny the SSL port (7443) and permit all other port(s), allowing the S2S VPN etc.

I've not heard/seen a single RAVPN cause a problem with a S2S VPN though tbh.

0 Helpful

Go to solution
Lee Dress
Level 1
Level 1
In response to Rob Ingram

‎04-11-2024 12:31 PM

Thanks.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Lee Dress

‎04-11-2024 12:27 PM

Is vpn subnet conflict with remote lan?

MHM

0 Helpful

Go to solution
Lee Dress
Level 1
Level 1
In response to MHM Cisco World

‎04-11-2024 12:33 PM

no. 

I'll try Rob's solution.

there's no reason someone in a remote office with a tunnel should VPN in anyway.  I'm just trying to eliminate the possibilty.

It doesn't make sense to me either but it is consistently reproducible. so I want to eliminate the ability of anyone even trying.

 

0 Helpful
Customers Also Viewed These Support Documents