cancel
Showing results for 
Search instead for 
Did you mean: 
c8822131
Level 7

HIPS 8 blocking Cisco VPN Client 5.0.x.x

Hi all,

I'm probably overlooking somethng incredibly obvious and I'm new to Firewall Policy management !

I've applied a policy to allow connectivity for endpoints connected to the corporate domain with a rule to allow VPN connectivity.

I've also applied a LAG to ensure only machines that have IP addresses with the corporate domain's DNS Suffix have this rule applied and to "push" any endpoints that have external conections to an "external use" locked down policy.

The issue I have is when the LAG is applied to the policy the VPN connectivity drops out after 4-10 minutes.  If the LAG is removed then VPN connectivity will stablise.

The LAG is configured as follows:

Description: Internal
Direction: Either
Status: Enabled

Location Name: Our Corporate Domain Name.
DNS Suffix Address: Our Corporate Domain Name.

Location status and connection isolation are enabled.

Network Protocol: Any Protocol.
Media Types: Wired, Wireless and Virtual all selected.

When the dropouts occur the HIPS firewall log shows this LAG rule blocking the VPN client:

Event: Traffic

IP Address: (VPN concentrator IP)

Appplication: Cisco Systems VPN Client (CVPND)

Message: Blocked Outgoing UDP - Source 192.168.0.3Smiley Sad4396) Destination (VPN Concentrator IP) : (4500)

Matched Rule: Internal

If anyone out there has experienced similar issues or can see anything I've omitted please let me know, this is driving me nuts !

Thanks in advance,

Mike

.

0 Kudos
5 Replies
McAfee Employee

Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

Connection Isolation is causing this.  When this option is enabled, only the network adapter(s) that match the LAG will applied to the firerules AT and BELOW the LAG group itself.  You may need to allow this traffic before the LAG (with Connection Isolation) is processed, which means the firewall rule goes ABOVE the LAG group.

0 Kudos
c8822131
Level 7

Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

Hi Kary,

Thanks for getting back to me and apologies for not replying sooner.

I've raised an SR following on from your advide above.

The rule is configured to allow VPN traffic through the VPN rule before it hits the CAG/LAG.

One thing of note is that when the block is being reported in the HIPS activity log it shows the source IP as being the IP of the NIC on the machine rather than the IP granted to the VPN adapter.

This means (i think it does!) beacuse we've configured the group to allow traffic from any source with the corporate network's DNS suffix applied, the source IP doesn't match the group rule (e.g. Home Router IP 192.168.0.x) therefore a block is implemented.

The search for a solution continues......

0 Kudos
McAfee Employee

Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

One thing of note is that when the block is being reported in the HIPS activity log it shows the source IP as being the IP of the NIC on the machine rather than the IP granted to the VPN adapter.

This means (i think it does!) beacuse we've configured the group to allow traffic from any source with the corporate network's DNS suffix applied, the source IP doesn't match the group rule (e.g. Home Router IP 192.168.0.x) therefore a block is implemented.

That's probably it.  If the CAG is configured to match the VPN network adapter and it's IP address information, and network traffic is trying to go out on another non-CAG-matching network adapter, then Connection Isolation will block it (by design).  To allow this traffic, you would have to have a rule above the CAG to get processed before the CAG does.

0 Kudos
c8822131
Level 7

Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

Hi Kary,

Okay things have been running smoothly for a while but in the last few weeks an issue has been raised that has been somewhat perplexed.

I have approx 10 customers all using HIPS 8 all with an active Firewall Policy that can establish a VPN tunnel using an old version of Cisco VPN Client 5.0.01.0600

BUT

They can't use any apps despite the VPN client connecting.

I'm convinced this isn't a HIPS issue because I have approx 700 endpoints with the same config and during my testing I'm unable to re produce the symptoms using the hardware, OS,  VPN client and HIPS client with the same NIPS, HIPS and Firewall policies.

Here's what my policy is doing as far as VPN is concerned (this is sat above the CAG to help get the traffic through the Firewall):

VPN Rule

VPN - Direction: Either
      Media: Virtual
      Protocol: Any
Remote Networks: 193.32.82.12, 193.38.82.2, 212.250.5.100, 62.253.172.101

Allow IPsec ESP
Action: Allow
Direction: Either
Media: All types
Protocol IPSEC ESP/IPv4, IPSEC ESP/IPv6


Allow IKE
Action: Allow
Direction: In
Media: All types
Protocol UDP/IPv4, UDP/IPv6
Local Service: 500


Allow GRE
Action: Allow
Direction: Either
Media: All types
Protocol: GRE/IPv4, GRE/IPv6

Allow IKE Outbound
Action: Allow
Direction: Out
Media: All types
Protocol: UDP/IPv4, UDP IPv6
Remote Service: 500

Is there any reason why this policy (regardless of CAG being enabled / disabled) this rule set would allow the tunnel to be created but not allow any traffic to pass through ?

0 Kudos
McAfee Employee

Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

Is there any reason why this policy (regardless of CAG being enabled / disabled) this rule set would allow the tunnel to be created but not allow any traffic to pass through ?

These Firewall rules allow the VPN tunnel to be built.  You may not have created any Firewall rules to allow applications through the Firewall while it is on VPN.  It isn't automatic.

0 Kudos