Bizarre VPN behavior with Cymphonix Web Filtering Device
We just purchased some Cymphonix web filtering devices. These devices sit in-line (as a bridge) on the way from our internal network to the inside interface of our failover pair of 5520 ASAs. The ASAs are active/passive, single context. The software rev is 8.4(2).
We run about 320 site-to-site VPNs as well as AnyConnect VPNs to our ASAs. When I brought the Cymphonix devices in-line, all appeared to be working. Traffic was flowing out to the internet from our internal network. I was seeing stats and analysys from the Cymphonix device. However, after a few minutes, almost all of our VPNs went down (both site-to-site and Anyconnect). Traffic from the internal network to the internet was still working fine. When I tried to re-establish an Anyconnect VPN using my laptop on an outside connection, it failed. The message said the ASA "rejected" the connection. I turned up some debug on the ASA and got messages that included text like "internal error". Once I cabled the inside of the ASA directly back to the switch instead of going through the Cymphonix (and rebooted the ASA, just to be safe), the VPNs came back up.
I'm scratching my head, to put it mildly. A VPN is negotiated to the ASA. The traffic involved in establishing and maintaining the VPN will never see the Cymphonix box because the ASA processes it and it goes no further. So, how can connecting something to the inside interface of the ASA cause the VPNs to crumble? I should be able to connect anything I want or nothing at all to the inside of the ASA and it shouldn't matter one bit to the health of the VPNs. Here's another twist: all of the traffic that comes out of those site-to-site VPNs is delivered to an interface other than the inside (traffic from our customers is delivered to an isolated part of our network). So the inside interface is even more "uninvolved" in those site-to-site VPNs.
Traffic from the internal network out to the internet was flowing fine. Basic functionality was fine. Since I first tried this, I've wondered if I should have used a cross-over cable, but I find that hard to accept as a problem. How could non-VPN traffic be working fine our to the internet if I needed a cross-over cable? I'm reasonably certain the interfaces on the ASA are supposed to support auto-MDIX anyway.
Anybody have an idea of where to start on this one?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :