Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 8819 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO VPN not working after MR8?

GaryChancellor

I upgraded one of my firewalls this weekend to 17.0-MR8. Upgrade went fine. However, now the Cisco VPN Client that we use for remote MacOS and Apple iOS users is not working. The firewall rule is the same before and after. All other settings still look the same. We can connect and authenticate, but nothing is reachable via VPN. Authentication Log shows login. SYSTEM log shows connections and disconnections. However, Firewall log does not show anything even though firewall rule has logging turned on. I do have a few IPS log entries, but nothing that seems relevant. 



This thread was automatically locked due to age.
Parents
  • 0

    From the client device, I cannot ping or connect to any server on the VPN. It reports that 0 bytes have been transferred leading me to believe that it is a firewall rule issue - but that is still in place and should still work.

  • 0 in reply to GaryChancellor

    Hi Gary,

    Are you able to observe the firewall receiving any of this traffic (packet capture via GUI or TCPdump from CLI)?

    For troubleshooting purposes, have you tried re-installing the client application or deleting and recreating your firewall rules?

  • 0 in reply to FloSupport

    Flo,

    From packet capture I can see packets with a Status of "Violation", the Reason of "Firewall" and the Rule ID of 0.

     

    Which doesn't totally make sense to me. All I did was upgrade to MR8 and now it is ignoring my FW rule it seems.

     

    I have rebuilt the firewall rule with:

    ------------------------------------------------------

    Rule

    Accept any service going to "LAN" or " WAN" zones, when in "VPN" zone, and coming from "#RemoteIuser" network, scan for malware and log connections, then apply IPS policies

    Source & Schedule
    VPN
    Source Networks and Devices : #RemoteIuser
    During Scheduled Time : All the Time
    Destination & Services 
    LAN,WAN
    Destination Networks : Any
    Services : Any

    ------------------------------------------------------

     

    I have re-added the users to the Allowed User list for CiscoVPN Client.

    I have gone to each User and ensured the CISCO VPN Client is Enabled.

    One thing to note - I am using AD user accounts which I am beginning to suspect is the culprit. Otherwise, I can't really explain the FW rule violation. I did try to add "Match known users" with the list of users set up in the CISCO VPN list, but it didn't make any difference.

    Regards,

    Gary

     

Reply
  • 0 in reply to FloSupport

    Flo,

    From packet capture I can see packets with a Status of "Violation", the Reason of "Firewall" and the Rule ID of 0.

     

    Which doesn't totally make sense to me. All I did was upgrade to MR8 and now it is ignoring my FW rule it seems.

     

    I have rebuilt the firewall rule with:

    ------------------------------------------------------

    Rule

    Accept any service going to "LAN" or " WAN" zones, when in "VPN" zone, and coming from "#RemoteIuser" network, scan for malware and log connections, then apply IPS policies

    Source & Schedule
    VPN
    Source Networks and Devices : #RemoteIuser
    During Scheduled Time : All the Time
    Destination & Services 
    LAN,WAN
    Destination Networks : Any
    Services : Any

    ------------------------------------------------------

     

    I have re-added the users to the Allowed User list for CiscoVPN Client.

    I have gone to each User and ensured the CISCO VPN Client is Enabled.

    One thing to note - I am using AD user accounts which I am beginning to suspect is the culprit. Otherwise, I can't really explain the FW rule violation. I did try to add "Match known users" with the list of users set up in the CISCO VPN list, but it didn't make any difference.

    Regards,

    Gary

     

Children