01-10-2014 06:37 AM - edited 03-11-2019 08:28 PM
Hi All,
We have an ASA5520 firewall all works fine. However every now and then when we configure changes on the firewall (or sometimes enter the ASDM programme and come back out) we find that the option for 'enableing inbound VPN to bypass interface access lists' (tick box on the config/remote access page) effectively stops functioning. In order to get it working again we have to untick the box and retick it.
Has anyone else encountered this problem, I think it might be a bug in the version of ASDM we are using but it seems to do it every now and then. Quite sure we are not accidentally unticking this.
ASDM version 6.4(9)
ASA5520 8.3(2)4
many thanks,
C.
Solved! Go to Solution.
01-10-2014 07:24 AM
Hi,
Here is one bug related to ASDM VPN Wizard use. Its very old so it probably wont apply to your situation but does atleast show that such behaviour has been possible in the past
|
Symptom:
Using the ASDM VPN wizard will silently remove previously configured
no sysopt connection permit-vpn or no sysopt
connection permit-ipsec.
Conditions:
PIX/ASA has previously been configured for IPSec and the command no
sysopt connection permit-vpn (7.1) or no sysopt connection
permit-ipsec (7.0) is present in the configuration. Using the ASDM
VPN wizard will silently remove the no sysopt connection permit-
vpn or no sysopt connection permit-ipsec".
Workaround:
Don't use the ASDM VPN wizard if the PIX/ASA has previously been configured
for IPSec and the command no sysopt connection permit-vpn
(7.1) or no sysopt connection permit-ipsec (7.0) is
present in the configuration.
I could not find any other bugs yet that would correspond to the behaviour
EDIT: Actually seems that the above bug actually does the opposite by enabling the Bypass rather than disabling it.
- Jouni
01-10-2014 07:11 AM
Hi,
Can't say that I have even seen this happen on any of our ASAs.
Especially when configuring the ASA through ASDM I would suggest (if not already done) enabling the Command Preview. You can do this by going to Tools -> Preferences -> Preview commands before sending them to the device
This should show the person managing the ASDM if its going to send some commands to the ASA that its not supposed to.
I would also make sure that if using VPN Wizard that noone changes this setting because its asked there.
You can naturally update the ASDM to the latest version (without touching the actual OS version of the ASA) if you got access to the software.
- Jouni
01-10-2014 07:24 AM
Hi,
Here is one bug related to ASDM VPN Wizard use. Its very old so it probably wont apply to your situation but does atleast show that such behaviour has been possible in the past
|
Symptom:
Using the ASDM VPN wizard will silently remove previously configured
no sysopt connection permit-vpn or no sysopt
connection permit-ipsec.
Conditions:
PIX/ASA has previously been configured for IPSec and the command no
sysopt connection permit-vpn (7.1) or no sysopt connection
permit-ipsec (7.0) is present in the configuration. Using the ASDM
VPN wizard will silently remove the no sysopt connection permit-
vpn or no sysopt connection permit-ipsec".
Workaround:
Don't use the ASDM VPN wizard if the PIX/ASA has previously been configured
for IPSec and the command no sysopt connection permit-vpn
(7.1) or no sysopt connection permit-ipsec (7.0) is
present in the configuration.
I could not find any other bugs yet that would correspond to the behaviour
EDIT: Actually seems that the above bug actually does the opposite by enabling the Bypass rather than disabling it.
- Jouni
01-10-2014 07:28 AM
Hi Jouni,
Thanks for your help again. Already got the command preview enabled and it didnt show anything.
I will most likely update the ASDM and ASA versions and take it from there.
many thanks again.
C.
01-10-2014 07:45 AM
Hi Jouni,
Just seen you second answer, many thanks, it at least shows that I am not going insane ! We did upgrade from an old PIX and I suspect there may be some unwanted settings in there. Doing a search of the config to see if I can find some anomalies.
C.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide