5 Replies Latest reply: Oct 31, 2013 3:49 PM by Kary Tankink RSS

    HIPS 8 blocking Cisco VPN Client 5.0.x.x

    c8822131

      Hi all,

       

       

      I'm probably overlooking somethng incredibly obvious and I'm new to Firewall Policy management !

       

      I've applied a policy to allow connectivity for endpoints connected to the corporate domain with a rule to allow VPN connectivity.

      I've also applied a LAG to ensure only machines that have IP addresses with the corporate domain's DNS Suffix have this rule applied and to "push" any endpoints that have external conections to an "external use" locked down policy.

       

      The issue I have is when the LAG is applied to the policy the VPN connectivity drops out after 4-10 minutes.  If the LAG is removed then VPN connectivity will stablise.

       

      The LAG is configured as follows:

       

      Description: Internal
      Direction: Either
      Status: Enabled

      Location Name: Our Corporate Domain Name.
      DNS Suffix Address: Our Corporate Domain Name.

      Location status and connection isolation are enabled.

      Network Protocol: Any Protocol.
      Media Types: Wired, Wireless and Virtual all selected.

       

      When the dropouts occur the HIPS firewall log shows this LAG rule blocking the VPN client:

       

      Event: Traffic

      IP Address: (VPN concentrator IP)

      Appplication: Cisco Systems VPN Client (CVPND)

      Message: Blocked Outgoing UDP - Source 192.168.0.3:(4396) Destination (VPN Concentrator IP) : (4500)

      Matched Rule: Internal

       

      If anyone out there has experienced similar issues or can see anything I've omitted please let me know, this is driving me nuts !

       

      Thanks in advance,

       

      Mike

      .

        • 1. Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x
          Kary Tankink

          Connection Isolation is causing this.  When this option is enabled, only the network adapter(s) that match the LAG will applied to the firerules AT and BELOW the LAG group itself.  You may need to allow this traffic before the LAG (with Connection Isolation) is processed, which means the firewall rule goes ABOVE the LAG group.

          • 2. Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x
            c8822131

            Hi Kary,

             

            Thanks for getting back to me and apologies for not replying sooner.

             

            I've raised an SR following on from your advide above.

             

            The rule is configured to allow VPN traffic through the VPN rule before it hits the CAG/LAG.

            One thing of note is that when the block is being reported in the HIPS activity log it shows the source IP as being the IP of the NIC on the machine rather than the IP granted to the VPN adapter.

             

            This means (i think it does!) beacuse we've configured the group to allow traffic from any source with the corporate network's DNS suffix applied, the source IP doesn't match the group rule (e.g. Home Router IP 192.168.0.x) therefore a block is implemented.

             

            The search for a solution continues......

            • 3. Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x
              Kary Tankink

               

              One thing of note is that when the block is being reported in the HIPS activity log it shows the source IP as being the IP of the NIC on the machine rather than the IP granted to the VPN adapter.

               

              This means (i think it does!) beacuse we've configured the group to allow traffic from any source with the corporate network's DNS suffix applied, the source IP doesn't match the group rule (e.g. Home Router IP 192.168.0.x) therefore a block is implemented.

               

              That's probably it.  If the CAG is configured to match the VPN network adapter and it's IP address information, and network traffic is trying to go out on another non-CAG-matching network adapter, then Connection Isolation will block it (by design).  To allow this traffic, you would have to have a rule above the CAG to get processed before the CAG does.

              • 4. Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x
                c8822131

                Hi Kary,

                 

                Okay things have been running smoothly for a while but in the last few weeks an issue has been raised that has been somewhat perplexed.

                 

                I have approx 10 customers all using HIPS 8 all with an active Firewall Policy that can establish a VPN tunnel using an old version of Cisco VPN Client 5.0.01.0600

                 

                BUT

                 

                They can't use any apps despite the VPN client connecting.

                 

                I'm convinced this isn't a HIPS issue because I have approx 700 endpoints with the same config and during my testing I'm unable to re produce the symptoms using the hardware, OS,  VPN client and HIPS client with the same NIPS, HIPS and Firewall policies.

                 

                Here's what my policy is doing as far as VPN is concerned (this is sat above the CAG to help get the traffic through the Firewall):

                 

                 

                VPN Rule

                VPN - Direction: Either
                      Media: Virtual
                      Protocol: Any
                Remote Networks: 193.32.82.12, 193.38.82.2, 212.250.5.100, 62.253.172.101

                 

                Allow IPsec ESP
                Action: Allow
                Direction: Either
                Media: All types
                Protocol IPSEC ESP/IPv4, IPSEC ESP/IPv6


                Allow IKE
                Action: Allow
                Direction: In
                Media: All types
                Protocol UDP/IPv4, UDP/IPv6
                Local Service: 500


                Allow GRE
                Action: Allow
                Direction: Either
                Media: All types
                Protocol: GRE/IPv4, GRE/IPv6

                 

                Allow IKE Outbound
                Action: Allow
                Direction: Out
                Media: All types
                Protocol: UDP/IPv4, UDP IPv6
                Remote Service: 500

                 

                Is there any reason why this policy (regardless of CAG being enabled / disabled) this rule set would allow the tunnel to be created but not allow any traffic to pass through ?

                • 5. Re: HIPS 8 blocking Cisco VPN Client 5.0.x.x
                  Kary Tankink

                  Is there any reason why this policy (regardless of CAG being enabled / disabled) this rule set would allow the tunnel to be created but not allow any traffic to pass through ?

                  These Firewall rules allow the VPN tunnel to be built.  You may not have created any Firewall rules to allow applications through the Firewall while it is on VPN.  It isn't automatic.