Field Notice: FN - 63146 - Third Party VPN Connection May Cause Unintended VPN Interruption for Other Connected Users
August 12, 2008
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Initial Public Release
ASA - ASA5505-ASA5580
PIX - PIX
VPN3000 - VPN3000-Concentrator
The following products and versions are impacted by this Field Notice:
Cisco Adaptive Security Appliance models 5505-5550 - All releases prior to 8.0.4
Cisco Adaptive Security Appliance model 5580 - All releases prior to 188.8.131.52
(Customers must contact the Cisco TAC for access to this version)
Cisco PIX Security Appliance - All 7.x and 8.x releases prior to 8.0.4
Cisco VPN 3000 Concentrator - All releases prior to 4.7.2.P
Apple iPhone and iPod Touch 2.0 offers advanced VPN capabilities for communicating with Cisco ASA and PIX head-end devices. Users may use their iPhones to connect to existing Cisco VPN head-end devices now that this software has been released.
For ASA, PIX (7.x or later) and VPN 3000 environments not running the minimum versions listed above, use of the VPN Client in the initial versions of iPhone/iPod Touch 2.0 software can cause interruptions to VPN services for other users. This field notice describes the configuration steps that can be taken on the head-end devices to grant iPhone/iPod Touch users VPN access without causing interruptions, or to disallow connections by iPhones.
Cisco has released a software upgrade as a workaround for the problem. In addition, we recommend that once an update has been released from Apple that you advise all of your iPhone/iPod Touch users to upgrade to this new software version.
With IPsec enabled on the ASA, PIX, or VPN3000 series VPN head ends not running the minimum versions listed above, it is possible to cause a VPN interruption if one of the following configuration steps are not taken.
More information can be found in bug numbers CSCsr40360 or CSCsr38654.
For customers unable to upgrade to the minimum versions listed above, a workaround option is available for administrators who intend to allow access from the iPhone/iPod Touch 2.0 VPN Clients.
Allow iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):
We recommend creating a new VPN group specifically for iPhone/iPod touch users if there is a mask set for your existing address pool or if DHCP address assignment is in use. A special group will also allow you to set customized security policies, such as providing these mobile users access to specific resources.
For the new group created for the iPhone, ensure that an address pool is utilized and either no mask command is set or if a mask is set, that it is set to 255.255.255.255.
asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254
asa(config-webvpn)# ip local pool iphone_users 10.0.0.1-10.0.0.254 mask 255.255.255.255
You may also set up a permit rule to limit this access to this group to iPhones. In the group policy, enable the following rule:
client-access-rule 10 permit type iPhone* version *
For any groups that have an appropriate address pool mask assigned to them or are set up for DHCP address assignment, you should follow the instructions in the field notice to deny connections to these groups.
If corporate policy is to restrict VPN access from the iPhone and iPod Touch 2.0, please use the configuration settings below.
Deny iPhone/iPod Touch VPN connections (ASA/PIX 7.x+):
In the group policy, enable the following rule:
client-access-rule 10 deny type iPhone* version *
client-access-rule 20 permit type * version *
Deny iPhone/iPod Touch VPN Connections (VPN 3000):
Choose Configuration > User Management > Groups. Then choose the group and go to the IPsec tab.
Construct the rule in the following way:
Note: There is a space between d (and) p and the other words
Note: Connections from the Apple iPhone/iPod Touch 2.0 VPN Client to the VPN 3000 Concentrator are not supported by Cisco.
To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.
|CSCsr38654 (registered customers only)
|| Configuring a VPN 3000 to limit connections from iPhone 2.0 VPN software
|CSCsr40360 (registered customers only)
|| iPhone 2.0 SW requires that ASA address mask is 255.255.255.255
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.