asa/pix vpn-filter clarification needed

Answered Question
Mar 11th, 2007


at the moment I have some vpn-filters applied to remote access VPN groups defined and everything works as expected (sysopt connection permit-vpn is enabled).

Now I need to setup a few L2L tunnels and I want to restrict traffic beyond the crypto-acl level. I think I have 2 options here

1. disabling sysopt connection permit-vpn and define ACEs on the outside ACL for all my RA and L2L tunnels (not preferred by me)

2. Simply use vpn-filter for L2L tunnels too

Is option 2 possible? As far as my IPSec experience goes I think that this is a remote-access VPN option only, but the documentation is very vague about that.

Thanks in advance!


Correct Answer by kaachary about 9 years 11 months ago

That's a known bug CSCsg60095 and is said to be resolved in version .


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
kaachary Sun, 03/11/2007 - 17:01

VPN filters work for L2L yu can go ahead and implement this..


acomiskey Mon, 03/12/2007 - 07:09

Unless of course you want a stable tunnel, check cisco bug toolkit for vpn-filter bugs. If anyone knows a stable release for ASA and vpn-filter, please let me know. I have tried several releases with no luck, they work for a random amount of time, then begin to block ALL traffic on the tunnel. Even tried a TAC engineering release which was actually worse. I resorted to the "no sysopt connection permit-ipsec" method with filtering on interface acl's. A little uglier, but stable.

jeremyarcher Tue, 04/03/2007 - 09:02

"then begin to block ALL traffic on the tunnel"

I'm having this issue with my RA tunnels. Did you ever get this working while using sysopt connection permit-ipsec? I'm running a TAC engineering release as well - 7.2(1))25.



nnw11903 Tue, 04/03/2007 - 09:45


for RA VPNs, the vpn-filter works flawlessly for me with "sysopt connection permit-vpn" enabled. Software release is 7.2(2).

I didnt had the time to test it with L2L tunnels yet, but I'm going to implement this with caution after I read the post from acomiskey.

acomiskey Tue, 04/03/2007 - 18:06

Don't let my experience sway you from this. This was occuring for me on l2l tunnels which were up for several hours before the failures occured, that may be why you aren't seeing it on your RA vpns. If it works flawlessly for you then go with it. I was given an engineering release which was supposed to fix it but actually made it worse.

acomiskey Tue, 04/03/2007 - 18:09


Before we compare your issue to mine, are you able to get the tunnel up at all, or is the tunnel up and then blocks traffic randomly?

And no, I never got it working :(

I just went back and found an email from a cisco guy here on the forums, but I never tried this as I have it all working with interface acl's it's hard to go back and try the filter.

"Either 7.1(2.47) or 7.2(2.15) will contain the fix you need, so I'd

upgrade to whichever train you're currently running (7.1 or 7.2)."

jeremyarcher Tue, 04/03/2007 - 19:29

Yes, I am able to get the tunnel up just fine. Actually, I had the "blocks traffic randomly" problem earlier as well too. However, that was fixed in a previous upgrade.

Now, I am able to get the tunnel up but whenever there is a vpn-filter applied to the group policy (regardless of the ACL) it blocks everything.

The upgrade to 7.2.2 did not fix it.




This Discussion