This documents describes an issue faced by an user in which firewall intermittently blocks the VPN traffic which is permited by the VPN filters.
What are VPN filters?
VPN filters enables us to either allow or decline the post-decrypted traffic once it exits the tunnel and the pre-encrypted traffic before entering the tunnel.By applying ACL to an interface we can define at what time it should allow ( or decline) traffic that is either entering or exiting the interface.
ACL can be applied to bi-directional traffic and all interfaces with the help of VPN filter. Due to this, within he ACL definition of source and destination fields is not applicable; instead the ACL fields with respect to the IP/Port must be allowed or declined for the local and remote subnets.
This issue is due to the presence of Cisco bug ID CSCsg60095.
In this issue, access to traffic that is permitted by the VPN filter access control list (ACL) is sometimes denied over the VPN, but the bytes that are sent and received still increase and the tunnel remains open.
This issue is first found in the PIX/ASA firewall version 7.2(1.21).
The workaround for this issue is to disable the VPN filter, which allows access to all traffic.
In order to completely resolve this issue, upgrade or downgrade the PIX/ASA to any of these versions:
7.2(2.7) and later
Refer to Cisco Downloads in order to download the suggested PIX/ASA software versions.