Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2000 Views 10 Replies Latest reply: Oct 1, 2013 8:07 PM by nperez91 RSS 1 2 Previous Next
al.johnson Newcomer 22 posts since
Dec 16, 2010
Currently Being Moderated

Apr 25, 2013 2:21 PM

Cisco AnyConnect VPN client through WGA via WCCP

Anyone have any experience with the Cisco AnytConnect SSLVPN client through a WGA in a WCCP (transparent proxy) environment?

 

For our guest network we use WCCP from the WGA to the routers to have http/s traffic (ports 80/443) sent to the WGA.  All the other traffic goes directly to the Internet.

 

This seems to be causing problems with some visitors trying to use the Cisco AnyConnect client to set up an SSLVPN connection back to their home company.  If we put the client on a network that does not have the WGA in path, it works fine.

 

Looking through a packet capture taken on the WGA shows what appears to be a double SSL handshake.  Although the destination IP of the first handshake is the destination server, I suspect that this is actually being done by the WGA.

The second handshake is between the WGA external interface and the destination server.

  • btlyric Apprentice 184 posts since
    Aug 1, 2012
    Currently Being Moderated
    1. Apr 25, 2013 11:28 PM (in response to al.johnson)
    Re: Cisco AnyConnect VPN client through WGA via WCCP

    Many SSL VPN solutions, destinations which use client certificate authentication, applications which tunnel non-HTTP traffic via SSL and applications which require a non-intercepted connection cannot be sent through the SSL Scanner. In those cases, you need to put a bypass rule into place.

     

    Something like: URL.Destination.IP equals 1.2.3.4, Action = Stop Cycle in your rule set before you enter the SSL Scanner rule set.

  • Jon Scholten McAfee SME 856 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Apr 29, 2013 3:40 PM (in response to al.johnson)
    Re: Cisco AnyConnect VPN client through WGA via WCCP

    Hi Al,

     

    What btlyric suggested is still a viable test to see if it is filtering related or not. Alternativley you could try a bypass rule in the MWG rules for the client IP (of the VPN device in your network).

     

    If this works then it indicates a policy rule that could be blocking something for one reason or another. If it does not work, then I would wonder what a packet capture looks like (dont post it here).

     

    Shot in the dark, but could the VPN be adding to the packet size and possibly be causing it to be, to big to pass over WCCP?

     

    I have seen WCCP headers added to the TCP packet which were then dropped by the cisco device. This caused the packet size to be over 1500 in some cases.

     

    If you are seeing a handshake I would doubt this is the case because that means packets are getting through.

     

    Best,

    Jon

  • cscoup8 Newcomer 34 posts since
    Nov 13, 2012
    Currently Being Moderated
    4. Apr 30, 2013 10:12 PM (in response to al.johnson)
    Re: Cisco AnyConnect VPN client through WGA via WCCP

    We're not using SSL Scanner due to concerns about breaking PII and HIPPA content.  About all we do is check category of requests, reputation of site, and scan for maleware.

     

    You may already know this, but I thought it was worth clarifying that if you aren't enabling the SSL Scanner you won't be able to detect any malware that's downloaded from sites that are using https.  This opens a pretty big hole for malicious file attachments on webmail sites (if you permit access to these) that are often downloaded over https.

  • btlyric Apprentice 184 posts since
    Aug 1, 2012

    Some troubleshooting suggestions:

     

    - put in a rule at the top of the rule set that does a Stop Cycle for the specific destination. port 443 that's being problematic and test

    - put in a rule at the top of the rule set that does a Stop Cycle for traffic to destination port 443 from your guest network and test

  • cscoup8 Newcomer 34 posts since
    Nov 13, 2012

    You stated that the VPN connection works if it is made on a network for which WGA is not in the path.  Are there any differences in egress filtering on your firewall whether it is through allowed ports or protocol compliance inspection, for your network that has WGA versus the one that doesn't?

     

    The Cisco AnyConnect client (and destination VPN appliance) can be configured to use either SSL/TLS or IPsec for the VPN tunnel.  For SSL it can be configured to use DTLS which is UDP on port 443 instead of TCP.  You stated that you are using WCCP from the WGA to the routers to have http/s traffic (ports 80/443) sent to the WGA.  Is it possible that you are routing port 443 for both TCP and UDP instead of just TCP?  What's the error message that the Cisco AnyConnect client is producing?

     

    It's possible that they are running their VPN service on non standard ports.  What does the network packet capture show?  If for testing you completely whitelist that client IP address in web gateway (stop cycle for all) can they connect or does it still fail?

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points