cancel
Showing results for 
Search instead for 
Did you mean: 
bob325
Level 7

unable to access internet unless she uses the VPN-client // hips 8

Hi  Team,

I am  unable  to  access  to  the  network ,  need  to  use  VPN  only  to  acccess  to  the  network.  Logs  shows  like  IPV6  are  not  allowed ,  

Time:  2014-02-11 14:29:09
Event:  Traffic
IP Address/User:  10.xx.xx.xx
Message:  Blocked Incoming UDP -  Source 10.xxx.xxx.xx : bootps (67)  Destination 255.255.255.255 : bootpc (68)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:29:09
Event:  Traffic
IP Address/User:  10.xx.xxxx.xx
Message:  Blocked Incoming UDP -  Source 10.xxx.xx.xxx. : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:29:13
Event:  Traffic
IP Address/User:  10.xx.xx.xx
Message:  Blocked Incoming UDP -  Source 10.xxx.xx.xxx : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:29:17
Event:  Traffic
IP Address/User:  FF00:xxxx:xxxxx:xxxx xxxxx:ccccc0:xxxx:xxx

Message:  Blocked Outgoing ICMPv6 Unknown - Source FE80:xxxxx:xxxx:xxxxxx0:xxxxx:xxxx:xxxx:0000   Destination FF02:xxxx:xxxx:xxxxxx:xxxxx:0000xx:xxxxx
Matched Rule:  Block IPv6

Time:  2014-02-11 14:29:23
Event:  Traffic
IP Address/User:  FF02:xxxx:xxxx:xxxx:xxxx:xxxxx:xxxxx:xxxx
Message:  Blocked Outgoing ICMPv6 Unknown - Source FE80:0000:xxxxx:xxxx:xxxx:xxxx:xxxx:xxxx   Destination FF02:xxxxx:0000:0000:xxxx:xxxx0:0000:xxxx

Matched Rule:  Block IPv6

Time:  2014-02-11 14:29:23
Event:  Traffic
IP Address/User:  FF02:xxx0:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Message:  Blocked Outgoing ICMPv6 Unknown - Source FE80:xxxx:xxxxx:xxxx:xxxx:xxxx:xxxx:xxxx   Destination FF02:xxxxx:xxxxx:xxxx:xxxx:xxxxxx:xxxxx:xxx
Matched Rule:  Block IPv6

Time:  2014-02-11 14:29:23
Event:  Traffic
IP Address/User:  FF02:xxx:xxxx::xxxx:xxxx:xxxx:xxxx:xxxxx

Message:  Blocked Outgoing ICMPv6 Unknown - Source FE80:xxxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx   Destination FF02:xxxx:xxxx:xxxx:xxx0:xxxx:xxxx:xxxx
Matched Rule:  Block IPv6

Time:  2014-02-11 14:30:58
Event:  Traffic
Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xx.xx.xx
Message:  Blocked Incoming ICMP Time Exceeded - Source 10.xx.xx.xxxx   Destination 10.xxxx.xxxx.xxxx
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xxxx.xx.xx
Message:  Blocked Incoming ICMP Time Exceeded - Source 10.xx.xxx.xx   Destination 10.xx.xx.xx
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xx.xx.xx
Message:  Blocked Incoming ICMP Time Exceeded - Source 10.xx.xx.xx   Destination 10.xx.xx.xx
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xx.xxx.xx

Message:  Blocked Incoming ICMP Time Exceeded - Source 10.xx.xxx.xx   Destination 10.xxx.xxx.xxx
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xxxx.xxx.xxxx
Message:  Blocked Incoming ICMP Time Exceeded - Source 10.xx.xx.xx.x   Destination 10.xx.xxx.xx
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xxx.xxx.xxx
Message:  Blocked Incoming ICMP Time Exceeded - Source 10.xx.xxxx   Destination 10.xxx.xxx.xxx
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xxx.xxx.xxx
Description:  Microsoft Lync 2010 MAPI COM Server (UcMapi)
Path:  C:\Program Files\Microsoft Lync\UcMapi.exe
Message:  Blocked Outgoing TCP -  Source 10.xxx.xx.xxx :  (56900)  Destination 10.xx.xx.xxx : epmap (135)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  10.xxx.xxx.xxx
Message:  Blocked Incoming UDP -  Source 10.xx.xx.xx : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:00
Event:  Traffic
IP Address/User:  217.xxx.xxx.xxxx.
Description:  VPN Agent Service (vpnagent)
Path:  C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
Message:  Blocked Outgoing TCP -  Source 10..xx.xxx.xx :  (56899)  Destination 217.xx.xx.x.xx. : http (80)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:43
Event:  Traffic
IP Address/User:  0.0.0.0
Description:  Värdprocess för Windows-tjänster (svchost)
Path:  C:\WINDOWS\System32\svchost.exe
Message:  Blocked Incoming UDP -  Source 0.0.0.0 : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:47
Event:  Traffic
IP Address/User:  0.0.0.0
Description:  Värdprocess för Windows-tjänster (svchost)
Path:  C:\WINDOWS\System32\svchost.exe
Message:  Blocked Incoming UDP -  Source 0.0.0.0 : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:31:56
Event:  Traffic
IP Address/User:  0.0.0.0
Description:  Värdprocess för Windows-tjänster (svchost)
Path:  C:\WINDOWS\System32\svchost.exe
Message:  Blocked Incoming UDP -  Source 0.0.0.0 : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Time:  2014-02-11 14:32:11
Event:  Traffic
IP Address/User:  0.0.0.0
Description:  Värdprocess för Windows-tjänster (svchost)
Path:  C:\WINDOWS\System32\svchost.exe
Message:  Blocked Incoming UDP -  Source 0.0.0.0 : bootpc (68)  Destination 255.255.255.255 : bootps (67)
Matched Rule:  Block All Traffic

Thanks  and  regards

BOB

0 Kudos
1 Reply
rothman
Level 7

Re: unable to access internet unless she uses the VPN-client // hips 8

Unless your network has actually started to use IPv6, it should be blocking that protocol.

What I noticed was this:

Time:  2014-02-11 14:31:00

Event:  Traffic

IP Address/User:  217.xxx.xxx.xxxx.

Description:  VPN Agent Service (vpnagent)

Path:  C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe

Message:  Blocked Outgoing TCP -  Source 10..xx.xxx.xx :  (56899)  Destination 217.xx.xx.x.xx. : http (80)

Matched Rule:  Block All Traffic

It appears that you are missing an exception in your HIPS firewall rule(s) to allow for vpnagent.exe to communicate on port 80.  Though, based on the title of your post, this is a bit confusing because you say that your end-user is unable to access the Internet unless they use the VPN.

An easy way to figure out what rules you need to configure in your HIPS firewall rule(s) is to turn on 'Learn Mode' for both incoming and outgoing.  You will then be prompted by the firewall for either an 'Allow' or 'Block' whenever an unknown connection is attempted.  By using this feature, you can find out exactly what is blocking access to port 80/443/8080 (common http/https Internet protocols) and then add those exceptions to your firewall rule.

0 Kudos