Solved: Enable inbound VPN sessions to bypass interface access lists 'st

Chris McCann · ‎01-10-2014

Hi All,

We have an ASA5520 firewall all works fine. However every now and then when we configure changes on the firewall (or sometimes enter the ASDM programme and come back out) we find that the option for 'enableing inbound VPN to bypass interface access lists' (tick box on the config/remote access page) effectively stops functioning. In order to get it working again we have to untick the box and retick it.

Has anyone else encountered this problem, I think it might be a bug in the version of ASDM we are using but it seems to do it every now and then. Quite sure we are not accidentally unticking this.

ASDM version 6.4(9)

ASA5520 8.3(2)4

many thanks,

C.

Jouni Forss · ‎01-10-2014

Hi,

Here is one bug related to ASDM VPN Wizard use. Its very old so it probably wont apply to your situation but does atleast show that such behaviour has been possible in the past

https://tools.cisco.com/bugsearch/ASDM VPN wizard silently removes 'no sysopt connection permit-vpn'

CSCsd81155

Symptom:
Using the ASDM VPN wizard will silently remove previously configured
no sysopt connection permit-vpn or no sysopt
connection permit-ipsec.

Conditions:
PIX/ASA has previously been configured for IPSec and the command no
sysopt connection permit-vpn (7.1) or no sysopt connection
permit-ipsec (7.0) is present in the configuration. Using the ASDM
VPN wizard will silently remove the no sysopt connection permit-
vpn or no sysopt connection permit-ipsec".

Workaround:
Don't use the ASDM VPN wizard if the PIX/ASA has previously been configured
for IPSec and the command no sysopt connection permit-vpn
(7.1) or no sysopt connection permit-ipsec (7.0) is
present in the configuration.

I could not find any other bugs yet that would correspond to the behaviour

EDIT: Actually seems that the above bug actually does the opposite by enabling the Bypass rather than disabling it.

- Jouni

View solution in original post

Jouni Forss · ‎01-10-2014

Hi,

Can't say that I have even seen this happen on any of our ASAs.

Especially when configuring the ASA through ASDM I would suggest (if not already done) enabling the Command Preview. You can do this by going to Tools -> Preferences -> Preview commands before sending them to the device

This should show the person managing the ASDM if its going to send some commands to the ASA that its not supposed to.

I would also make sure that if using VPN Wizard that noone changes this setting because its asked there.

You can naturally update the ASDM to the latest version (without touching the actual OS version of the ASA) if you got access to the software.

- Jouni

Jouni Forss · ‎01-10-2014

Hi,

Here is one bug related to ASDM VPN Wizard use. Its very old so it probably wont apply to your situation but does atleast show that such behaviour has been possible in the past

https://tools.cisco.com/bugsearch/ASDM VPN wizard silently removes 'no sysopt connection permit-vpn'

CSCsd81155

Symptom:
Using the ASDM VPN wizard will silently remove previously configured
no sysopt connection permit-vpn or no sysopt
connection permit-ipsec.

Conditions:
PIX/ASA has previously been configured for IPSec and the command no
sysopt connection permit-vpn (7.1) or no sysopt connection
permit-ipsec (7.0) is present in the configuration. Using the ASDM
VPN wizard will silently remove the no sysopt connection permit-
vpn or no sysopt connection permit-ipsec".

Workaround:
Don't use the ASDM VPN wizard if the PIX/ASA has previously been configured
for IPSec and the command no sysopt connection permit-vpn
(7.1) or no sysopt connection permit-ipsec (7.0) is
present in the configuration.

I could not find any other bugs yet that would correspond to the behaviour

EDIT: Actually seems that the above bug actually does the opposite by enabling the Bypass rather than disabling it.

- Jouni

Chris McCann · ‎01-10-2014

Hi Jouni,

Thanks for your help again. Already got the command preview enabled and it didnt show anything.

I will most likely update the ASDM and ASA versions and take it from there.

many thanks again.

C.

Chris McCann · ‎01-10-2014

Hi Jouni,

Just seen you second answer, many thanks, it at least shows that I am not going insane ! We did upgrade from an old PIX and I suspect there may be some unwanted settings in there. Doing a search of the config to see if I can find some anomalies.

C.

Enable inbound VPN sessions to bypass interface access lists 'stops working'