This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO VPN not working after MR8?

I upgraded one of my firewalls this weekend to 17.0-MR8. Upgrade went fine. However, now the Cisco VPN Client that we use for remote MacOS and Apple iOS users is not working. The firewall rule is the same before and after. All other settings still look the same. We can connect and authenticate, but nothing is reachable via VPN. Authentication Log shows login. SYSTEM log shows connections and disconnections. However, Firewall log does not show anything even though firewall rule has logging turned on. I do have a few IPS log entries, but nothing that seems relevant.

This thread was automatically locked due to age.

Parents

0 GaryChancellor over 7 years ago

From the client device, I cannot ping or connect to any server on the VPN. It reports that 0 bytes have been transferred leading me to believe that it is a firewall rule issue - but that is still in place and should still work.
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 7 years ago in reply to GaryChancellor

Hi Gary,

Are you able to observe the firewall receiving any of this traffic (packet capture via GUI or TCPdump from CLI)?

For troubleshooting purposes, have you tried re-installing the client application or deleting and recreating your firewall rules?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FloSupport over 7 years ago in reply to GaryChancellor

Hi Gary,

Are you able to observe the firewall receiving any of this traffic (packet capture via GUI or TCPdump from CLI)?

For troubleshooting purposes, have you tried re-installing the client application or deleting and recreating your firewall rules?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 GaryChancellor over 7 years ago in reply to FloSupport

Flo,

From packet capture I can see packets with a Status of "Violation", the Reason of "Firewall" and the Rule ID of 0.

Which doesn't totally make sense to me. All I did was upgrade to MR8 and now it is ignoring my FW rule it seems.

I have rebuilt the firewall rule with:

------------------------------------------------------

Rule

Accept any service going to "LAN" or " WAN" zones, when in "VPN" zone, and coming from "#RemoteIuser" network, scan for malware and log connections, then apply IPS policies

Source & Schedule

VPN
Source Networks and Devices : #RemoteIuser
During Scheduled Time : All the Time
Destination & Services

LAN,WAN
Destination Networks : Any
Services : Any

Advanced

Synchronized Security

Source : Minimum Heartbeat is No Restriction, Clients with no heartbeat allowed
Destination : Minimum Heartbeat is No Restriction, Request to destination with no heartbeat allowed

Masquerading is ON

------------------------------------------------------

I have re-added the users to the Allowed User list for CiscoVPN Client.

I have gone to each User and ensured the CISCO VPN Client is Enabled.

One thing to note - I am using AD user accounts which I am beginning to suspect is the culprit. Otherwise, I can't really explain the FW rule violation. I did try to add "Match known users" with the list of users set up in the CISCO VPN list, but it didn't make any difference.

Regards,

Gary
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 7 years ago in reply to GaryChancellor

Hey Gary,

Thanks for providing more detail and context. Would it be possible to please enable the support access tunnel to your firewall (and PM me with the ID) so I can investigate your configuration further?

Thanks!
Cancel
Vote Up 0 Vote Down

Cancel

CISCO VPN not working after MR8?

Rule

Source & Schedule

Destination & Services

Advanced

Synchronized Security