Guest

Preview Tool

Cisco Bug: CSCtb73211 - Protected network discovery for L2L should be done with ACL on 3.3.0

Last Modified

Nov 11, 2016

Products (1)

  • Cisco Security Manager

Known Affected Releases

3.3(0)

Description (partial)

Symptom:

CSM 3.3.0 is detecting protected networks as a network object rather than an ACL when building a L2L through "Discover VPN Policies".  This is causing the following issues:

1.  The protected network within the config on CSM is listed as a network object by default.  This causes the following issue when retrieving a L2L config from an ASA and then re-deploying the config:

Config directly from ASA with 3 interesting traffic ACL statements:
access-list vpn extended permit ip 10.0.13.0 255.255.255.0 10.0.14.0 255.255.255.0 
access-list vpn extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0 
access-list vpn extended permit ip host 10.1.1.1 host 10.2.2.2

CSM interprets the protected networks as a network object rather than an ACL, and when you re-deploy the config it adds additional statements:
access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.200.0 255.255.255.0 host 10.2.2.2       <-- INCORRECT
access-list CSM_IPSEC_ACL_1 extended permit ip 192.168.200.0 255.255.255.0 10.0.14.0 255.255.255.0    <-- INCORRECT
access-list CSM_IPSEC_ACL_1 extended permit ip host 10.1.1.1 192.168.201.0 255.255.255.0    <-- INCORRECT
access-list CSM_IPSEC_ACL_1 extended permit ip host 10.1.1.1 host 10.2.2.2
access-list CSM_IPSEC_ACL_1 extended permit ip host 10.1.1.1 10.0.14.0 255.255.255.0    <-- INCORRECT
access-list CSM_IPSEC_ACL_1 extended permit ip 10.0.13.0 255.255.255.0 192.168.201.0 255.255.255.0 <-- INCORRECT
access-list CSM_IPSEC_ACL_1 extended permit ip 10.0.13.0 255.255.255.0 host 10.2.2.2     <-- INCORRECT 
access-list CSM_IPSEC_ACL_1 extended permit ip 10.0.13.0 255.255.255.0 10.0.14.0 255.255.255.0    


2.  When importing the interesting traffic ACL, you might receive the following message:

"Some of the object names in this configuration conflict with existing policy objects.  When a policy object with the same name and a different value exists, object names must be modified as part of discovery.  Conflicts occur when the global value of a policy object is different and value overrides are not allowed."

The following objects were renamed by discovery: 
  vpn -> vpn_3 (ACL)

However, vpn_3 is nowhere to be found within the access list objects so you have to manually re-build the interesting traffic ACL for your L2L tunnel

Conditions:

Issue happens when you perform a "Discover VPN Policies" to build a L2L tunnel between two devices on CSM 3.3.0
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.