Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1909 Views 5 Replies Latest reply: Oct 31, 2013 3:49 PM by Kary Tankink RSS
c8822131 Newcomer 14 posts since
Jun 13, 2013
Currently Being Moderated

Jun 13, 2013 10:09 AM

HIPS 8 blocking Cisco VPN Client 5.0.x.x

Hi all,

 

 

I'm probably overlooking somethng incredibly obvious and I'm new to Firewall Policy management !

 

I've applied a policy to allow connectivity for endpoints connected to the corporate domain with a rule to allow VPN connectivity.

I've also applied a LAG to ensure only machines that have IP addresses with the corporate domain's DNS Suffix have this rule applied and to "push" any endpoints that have external conections to an "external use" locked down policy.

 

The issue I have is when the LAG is applied to the policy the VPN connectivity drops out after 4-10 minutes.  If the LAG is removed then VPN connectivity will stablise.

 

The LAG is configured as follows:

 

Description: Internal
Direction: Either
Status: Enabled

Location Name: Our Corporate Domain Name.
DNS Suffix Address: Our Corporate Domain Name.

Location status and connection isolation are enabled.

Network Protocol: Any Protocol.
Media Types: Wired, Wireless and Virtual all selected.

 

When the dropouts occur the HIPS firewall log shows this LAG rule blocking the VPN client:

 

Event: Traffic

IP Address: (VPN concentrator IP)

Appplication: Cisco Systems VPN Client (CVPND)

Message: Blocked Outgoing UDP - Source 192.168.0.3:(4396) Destination (VPN Concentrator IP) : (4500)

Matched Rule: Internal

 

If anyone out there has experienced similar issues or can see anything I've omitted please let me know, this is driving me nuts !

 

Thanks in advance,

 

Mike

.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Jun 13, 2013 6:57 PM (in response to c8822131)
    Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

    Connection Isolation is causing this.  When this option is enabled, only the network adapter(s) that match the LAG will applied to the firerules AT and BELOW the LAG group itself.  You may need to allow this traffic before the LAG (with Connection Isolation) is processed, which means the firewall rule goes ABOVE the LAG group.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Jun 27, 2013 12:13 PM (in response to c8822131)
    Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

     

    One thing of note is that when the block is being reported in the HIPS activity log it shows the source IP as being the IP of the NIC on the machine rather than the IP granted to the VPN adapter.

     

    This means (i think it does!) beacuse we've configured the group to allow traffic from any source with the corporate network's DNS suffix applied, the source IP doesn't match the group rule (e.g. Home Router IP 192.168.0.x) therefore a block is implemented.

     

    That's probably it.  If the CAG is configured to match the VPN network adapter and it's IP address information, and network traffic is trying to go out on another non-CAG-matching network adapter, then Connection Isolation will block it (by design).  To allow this traffic, you would have to have a rule above the CAG to get processed before the CAG does.

  • Kary Tankink McAfee Employee 655 posts since
    Mar 3, 2010
    Currently Being Moderated
    5. Oct 31, 2013 3:49 PM (in response to c8822131)
    Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x

    Is there any reason why this policy (regardless of CAG being enabled / disabled) this rule set would allow the tunnel to be created but not allow any traffic to pass through ?

    These Firewall rules allow the VPN tunnel to be built.  You may not have created any Firewall rules to allow applications through the Firewall while it is on VPN.  It isn't automatic.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points