Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Enable inbound VPN sessions to bypass interface access lists 'stops working'

Hi All,

We have an ASA5520 firewall all works fine. However every now and then when we configure changes on the firewall (or sometimes enter the ASDM programme and come back out) we find that the option for 'enableing inbound VPN to bypass interface access lists' (tick box on the config/remote access page) effectively stops functioning. In order to get it working again we have to untick the box and retick it.

Has anyone else encountered this problem, I think it might be a bug in the version of ASDM we are using but it seems to do it every now and then. Quite sure we are not accidentally unticking this.

ASDM version 6.4(9)

ASA5520 8.3(2)4

many thanks,

C.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Enable inbound VPN sessions to bypass interface access lists

Hi,

Here is one bug related to ASDM VPN Wizard use. Its very old so it probably wont apply to your situation but does atleast show that such behaviour has been possible in the past


https://tools.cisco.com/bugsearch/ASDM VPN wizard silently removes 'no sysopt connection permit-vpn'

Symptom:
Using the ASDM VPN wizard will silently remove previously configured
no sysopt connection permit-vpn or no sysopt
connection permit-ipsec.


Conditions:
PIX/ASA has previously been configured for IPSec and the command no
sysopt connection permit-vpn (7.1) or no sysopt connection
permit-ipsec (7.0) is present in the configuration. Using the ASDM
VPN wizard will silently remove the no sysopt connection permit-
vpn or no sysopt connection permit-ipsec".

Workaround:
Don't use the ASDM VPN wizard if the PIX/ASA has previously been configured
for IPSec and the command no sysopt connection permit-vpn
(7.1) or no sysopt connection permit-ipsec (7.0) is
present in the configuration.

I could not find any other bugs yet that would correspond to the behaviour

EDIT: Actually seems that the above bug actually does the opposite by enabling the Bypass rather than disabling it.

- Jouni

4 REPLIES
Super Bronze

Enable inbound VPN sessions to bypass interface access lists 'st

Hi,

Can't say that I have even seen this happen on any of our ASAs.

Especially when configuring the ASA through ASDM I would suggest (if not already done) enabling the Command Preview. You can do this by going to Tools -> Preferences -> Preview commands before sending them to the device

This should show the person managing the ASDM if its going to send some commands to the ASA that its not supposed to.

I would also make sure that if using VPN Wizard that noone changes this setting because its asked there.

You can naturally update the ASDM to the latest version (without touching the actual OS version of the ASA) if you got access to the software.

- Jouni

Super Bronze

Re: Enable inbound VPN sessions to bypass interface access lists

Hi,

Here is one bug related to ASDM VPN Wizard use. Its very old so it probably wont apply to your situation but does atleast show that such behaviour has been possible in the past


https://tools.cisco.com/bugsearch/ASDM VPN wizard silently removes 'no sysopt connection permit-vpn'

Symptom:
Using the ASDM VPN wizard will silently remove previously configured
no sysopt connection permit-vpn or no sysopt
connection permit-ipsec.


Conditions:
PIX/ASA has previously been configured for IPSec and the command no
sysopt connection permit-vpn (7.1) or no sysopt connection
permit-ipsec (7.0) is present in the configuration. Using the ASDM
VPN wizard will silently remove the no sysopt connection permit-
vpn or no sysopt connection permit-ipsec".

Workaround:
Don't use the ASDM VPN wizard if the PIX/ASA has previously been configured
for IPSec and the command no sysopt connection permit-vpn
(7.1) or no sysopt connection permit-ipsec (7.0) is
present in the configuration.

I could not find any other bugs yet that would correspond to the behaviour

EDIT: Actually seems that the above bug actually does the opposite by enabling the Bypass rather than disabling it.

- Jouni

New Member

Enable inbound VPN sessions to bypass interface access lists 'st

Hi Jouni,

Thanks for your help again. Already got the command preview enabled and it didnt show anything.

I will most likely update the ASDM and ASA versions and take it from there.

many thanks again.

C.

New Member

Enable inbound VPN sessions to bypass interface access lists 'st

Hi Jouni,

Just seen you second answer, many thanks, it at least shows that I am not going insane ! We did upgrade from an old PIX and I suspect there may be some unwanted settings in there. Doing a search of the config to see if I can find some anomalies.

C.

2591
Views
0
Helpful
4
Replies
CreatePlease to create content