Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

Field Notice: FN - 63146 - Third Party VPN Connection May Cause Unintended VPN Interruption for Other Connected Users

Field Notice: FN - 63146 - Third Party VPN Connection May Cause Unintended VPN Interruption for Other Connected Users

August 12, 2008


NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.0
12-AUG-2008
Initial Public Release

Products Affected

Products Affected
ASA - ASA5505-ASA5580
PIX - PIX
VPN3000 - VPN3000-Concentrator

Problem Description

The following products and versions are impacted by this Field Notice:

Cisco Adaptive Security Appliance models 5505-5550 - All releases prior to 8.0.4

Cisco Adaptive Security Appliance model 5580 - All releases prior to 8.1.1.8
(Customers must contact the Cisco TAC for access to this version)

Cisco PIX Security Appliance - All 7.x and 8.x releases prior to 8.0.4

Cisco VPN 3000 Concentrator - All releases prior to 4.7.2.P

 

Apple iPhone and iPod Touch 2.0 offers advanced VPN capabilities for communicating with Cisco ASA and PIX head-end devices. Users may use their iPhones to connect to existing Cisco VPN head-end devices now that this software has been released.

For ASA, PIX (7.x or later) and VPN 3000 environments not running the minimum versions listed above, use of the VPN Client in the initial versions of iPhone/iPod Touch 2.0 software can cause interruptions to VPN services for other users. This field notice describes the configuration steps that can be taken on the head-end devices to grant iPhone/iPod Touch users VPN access without causing interruptions, or to disallow connections by iPhones.

Background

Cisco has released a software upgrade as a workaround for the problem. In addition, we recommend that once an update has been released from Apple that you advise all of your iPhone/iPod Touch users to upgrade to this new software version.

Problem Symptoms

With IPsec enabled on the ASA, PIX, or VPN3000 series VPN head ends not running the minimum versions listed above, it is possible to cause a VPN interruption if one of the following configuration steps are not taken.

More information can be found in bug numbers CSCsr40360 or CSCsr38654.

Workaround/Solution

For customers unable to upgrade to the minimum versions listed above, a workaround option is available for administrators who intend to allow access from the iPhone/iPod Touch 2.0 VPN Clients.

Allow iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):

We recommend creating a new VPN group specifically for iPhone/iPod touch users if there is a mask set for your existing address pool or if DHCP address assignment is in use. A special group will also allow you to set customized security policies, such as providing these mobile users access to specific resources.

For the new group created for the iPhone, ensure that an address pool is utilized and either no mask command is set or if a mask is set, that it is set to 255.255.255.255.

Example: asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254

OR

asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254 mask 255.255.255.255

You may also set up a permit rule to limit this access to this group to iPhones. In the group policy, enable the following rule:

client-access-rule 10 permit type iPhone* version *

For any groups that have an appropriate address pool mask assigned to them or are set up for DHCP address assignment, you should follow the instructions in the field notice to deny connections to these groups.

If corporate policy is to restrict VPN access from the iPhone and iPod Touch 2.0, please use the configuration settings below.

Deny iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):

In the group policy, enable the following rule:

client-access-rule 10 deny type iPhone* version *
client-access-rule 20 permit type * version *

 

Deny iPhone/iPod Touch VPN Connections (VPN 3000):


Choose Configuration > User Management > Groups. Then choose the group and go to the IPsec tab.
Construct the rule in the following way:

d iPhone*.*
p *:*

Note: There is a space between d (and) p and the other words

Note: Connections from the Apple iPhone/iPod Touch 2.0 VPN Client to the VPN 3000 Concentrator are not supported by Cisco.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

DDTS Description
CSCsr38654 (registered customers only) Configuring a VPN 3000 to limit connections from iPhone 2.0 VPN software
CSCsr40360 (registered customers only) iPhone 2.0 SW requires that ASA address mask is 255.255.255.255

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.