Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
2
Replies

easyvpn broken in 8.3

dion.radford
Level 1
Level 1

‎11-22-2010 11:59 AM

I've been testing easyvpn on asa5505 and noticed that when using 8.3 the easyvpn client doesn't work in the following configuration:

1) outside interface is a dhcp client

2) vpn is configured to tunnell-all

The problem is that the outside interface DHCP renewal packets are being tunnelled instead of forwarded onto the local LAN. I see the DHCP packets being denied at the other end of the tunnel.

In version 8.2 this didn't happen because the vpnclient automatically creates a rule to deny DHCP traffic on the VPN.

access-list _vpnc_acl extended deny udp host 192.168.2.16 eq bootpc any eq bootps

In version 8.3 the firewall automatically creates a rule as well, but it screws it up:

access-list _vpnc_acl extended deny udp host 192.168.2.16 eq bootpc 0.0.0.0 96.80.178.199 eq bootps

Note that the IP Address 96.80.178.199 is not an IP address at this site. As far as I can tell it is random and this one is registered to Comcast IP Services. Other IPs I've seen is 80.104.178.199 and 128.101.178.199.

I can't raise a TAC case for it but hopefully someone will one day.

Labels:
0 Helpful
2 Replies 2

Vikas Saxena
Cisco Employee
Cisco Employee

‎11-22-2010 07:48 PM

Hello Dion,

Thanks for reporting it in. I will test it out in some free time and will report back.

0 Helpful

dion.radford
Level 1
Level 1
In response to Vikas Saxena

‎12-20-2010 02:59 AM

Hi,

Have you had a chance to confirm the problem? Is there a cisco bug reference?


Thanks

0 Helpful
Customers Also Viewed These Support Documents