ASA L2L VPN is not passing traffic when a VPN Filter is applied

Firewalls - Cisco - ASA

Within the Cisco Adaptive Security Appliance Software Version 8.2(2) you may find that when you have a group-policy (vpn filter) applied to your tunnel group that some traffic is not being allowed through the VPN.

This is a bug with 8.2(2) for which to resolve the issue you will need add the destination ports to the group-policies access-list. 

Examples

Your previous access-list entry for your group-policy may of look liked this :

access-list ACL_Filter extended permit ip object-group Local-LAN object-group Remote-LAN

Below is an example of the config that you would need to add in order to get traffic working which is being affected by this bug, 

ASA(config)# object-group service Ports
ASA(config)# service-object icmp echo
ASA(config)# service-object icmp echo-reply
ASA(config)# service-object tcp range 4060 6700
ASA(config)# service-object udp range 4060 6700
 
ASA(config)# access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
ASA(config)# no access-list ACL_Filter extended permit ip  object-group Local-LAN object-group Remote-LAN

Below is an example of the complete config. Please note this only includes the complete config for the group-policy and the relevant tunnel group and not the vpn configuration) :

object-group service Ports 
 service-object icmp echo
 service-object icmp echo-reply
 service-object tcp range 4060 6700
 service-object udp range 4060 6700

access-list ACL_Filter extended permit object-group Ports object-group Local-LAN object-group Remote-LAN
access-list ACL_Filter extended permit ip  object-group Local-LAN2 object-group Remote-LAN2
access-list ACL_Filter extended deny ip any any 

group-policy Example_Policy internal
group-policy Example_Policy attributes
  vpn-filter value ACL_Filter
      default-group-policy VPN_Filter

tunnel-group [Peer IP] general-attributes
  default-group-policy VPN_Filter

Please Note : If this does not resolve your issue please refer to the Cisco Bug Tracker. This is just one of a number of bugs included within the vpn filter feature.

 

Endpoint Connect Installation / Troubleshooting Guide

Firewalls - Checkpoint

What is EndPoint Connect ?

Checkpoint`s Endpoint Connect software provides a number of client side security based features such as Anti-virus/Anti-spyware. Firewall/Email Protection, Program Control and Remote Access VPN. This document will only details and discuss the Remote Access VPN section of the Endpoint Connect Software. Note : This document will refer to the Endpoint Connect Remote Access VPN as just Endpoint Connect.

Endpoint Connect is built into the software for mangers and gateways running R70 and above. For R65 gateways that require Endpoint Connect a few additional configuration steps are required which are included within this document.

Please note : This testing and documentation is based on the Endpoint Connect R73 Client.

Advantages

  • Lightweight Client if you are using a single site or single entry point setup.
  • Can be installed onto Windows 7 64-bit.

Disadvantages

  • An additional SNX (SSL Network Extender License) is required due to that in which it authenticates across HTTPS (vistor mode)
  • Link Selection is disabled (this is due to sites being defined via a single IP address).
  • MEP configurations can only be achieved by using Geo-Cluster DNS name resolution.

Installation on an R65 Gateway

Upgrading a R65 Gateway to R65 Endpoint Connect:

  1. Ensure that you are running HFA40 or higher.
  2. Ensure that you are managing the gateway with R70 or higher.

You will now be able to configure the require Endpoint Connect settings via the Smart Dashboard.

Configuration

To enable Endpoint Connect configure/enable the following settings :

Under the Checkpoint Gateway Object

1. Enable VPN

2. Create a VPN domain



3. Enable NAT-T



4. Enable Visitor Mode :

5. Enable Office mode



6. Enable SSL Network Extender



7. Endpoint connect doesn`t support DES. If this is set please re-configure.

Additional Settings

Further settings can be set within the Global Properties:

Troubleshooting

Issue : Authenticating failed: GEN_application_error(0)

You may receive this error when trying to login.



This is down to your client being unable to authenticate with the VPN gateway using HTTPS. This can be caused by the following:

            1.      Port 443/tcp on the firewall is assigned to a web management GUI (WEBUI/Voyuger) instead of VPND.
            2.      Port 443/tcp is not listening due to no SNX (SSL Network Extender) License being present.

Issue : Failed to download topology

Endpoint Connect fails to connect to NGX R65 Security Gateways that are managed by an R70 Security Management server with error: "failed to download topology".

To resolve this run through the following steps :
          1.      On the R70 Security Management server, edit the file:
/opt/CPNGXCMP-R70/lib/vpn_table.def
         2.      Scroll down to the section that starts with:
/* Slim Client gateway tables */
         3.      Add the entry for the ccc_sessions table below it:
ccc_sessions            = dynamic expires 900 keep sync kbuf 1;
         4.      After adding this entry to the vpn_table.def file, open SmartDashboard and re-install policy to the NGX R65 Security Gateway(s).

Further details can be found within the Checkpoint KB article sk43124

Licensing

Details on licensing can be found within Checkpoints KB article sk43329.

 

Checkpoint Web Visualization only provides part of the policy

Firewalls - Checkpoint

When using the Checkpoint Web Visualization tool and trying to obtain the policy for a Cluster object you may receive one of the following errors/issues :

  1. The policy is saved as an .html file but it is only showing part of the policy.
  2. You receive one of the following errors when running the Web Visualization syntax:

Querying tables...

Error Reason: Inconsistency problem: table communities is not recognized by serv
er.

An error occurred while synchronizing with server tables.

        1 file(s) copied.
        1 file(s) copied.

XSLT warning: Fatal Error at (file <unknown>, line 0, column 0): An exception oc
curred! Type:RuntimeException, Message:The primary document entity could not be
opened. Id=file:///d:/temp/temp/Security_Policy.xml (, line -1, column -1)
or
Querying tables...

Failed to open DB.
Error Reason: A disk error occurred during a read operation

Failed to get data from the management server "10.18.10.6"!

Solution

To resolve the issue use the cluster object name rather then the individual cluster node name when using the Web Visualization command. An example would be :

C:\Program Files\CheckPoint\SmartConsole\R65\PROGRAM>cpdb2html.bat . C:\temp\ [manager ip] [username] [pw] -o fw-policy.html -m [cluster object name]

 

Running a packet capture on a SourceFire Sensor

IDS - Snort / Sourcefire

Below shows you the required steps for running a packet capture on a SourceFire Sensor.

Which Interfaces are Sniffing ?

First of all we get a list of interfaces that is are sniffing for malicious traffic. Note : the fps normally relate to eth. Though you still use the fps reference within the tcpdump. 

ps -ef | grep snort | grep fp | awk -F -i ' { print $2 } ' | awk '{print $1}' | head -n1

Tcpdump the Interface

Using the interface numbers output from the last command you can now use these to run a tcpdump. 

root@3d:/#tcpdump -ni <interface>
Example:
root@3d:/#tcpdump -ni fp2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
 listening on fp2, link-type EN10MB (Ethernet), capture size 68 bytes
 15:35:51.477839 802.1d config 8001.00:15:13:de:a9:80.8001 root 8001.00:15:a3:ee:h5:80 pathcost 0 age 0 max 20 hello 2 fdelay 15
Overview of traffic

We can also get an overview of the traffic by running the following command,

root@3d:/# watch 'netstat -ani'

 

 

File download fails through Netscreen when using IE6 with Passive FTP

Firewalls - Juniper - Netscreen

You may find when trying to download a file from your FTP server using Internet Explorer 6 with "Folder View Enabled" when using Passive FTP the file download transfer will fail after a short time period.

This can be down to Internet Explorer sending TCP packets with sequence numbers which are outside that of the current TCP window. This in turn causes the FTP file transfer to fail. This can be caused by vendors using non-RFC methods to verify a packets validity or the host sending back badly number packets expecting a return.

You can confirm whether the Netscreen is dropping packets due to this with the following command,

netscreen(M)-> get counter statistics | i (Total|seq)
Total flow counters for interface mgt:

tcp out of seq         0 | mac relearn            0 | no frag sess           0
Total flow counters for interface ethernet1/1:

tcp out of seq    38321 | mac relearn            0 | no frag sess           0
Total flow counters for interface ethernet1/2:

Solution

The Netscreen is working by design so you have 3 options :

  1. Disabling TCP sequence checking on the firewall using the command 'set flow no-tcp-seq-check'
  2. Using an alternative client for Passive FTP downloads.
  3. Using Active FTP
 

Page 1 of 38

«StartPrev12345678910NextEnd»
We have 10 guests online

Article updates via email..