Guest

Preview Tool

Cisco Bug: CSCuo03569 - VPN client firewall and split-tunneling mishandle "inactive" acl rules

Last Modified

Nov 27, 2020

Products (1)

  • Cisco Adaptive Security Appliance (ASA) Software

Known Affected Releases

9.1(5)

Description (partial)

Symptom:
If the access-list has inactive entries [i.e. an access-list entry is disabled through ASDM - show access-list <name> | include inactive], they are sent as part of the client-side firewall or split-tunneling rules.

Conditions:
For client-side firewall rules:
- ASA is configured as SSLVPN / IKEv2 server, and AnyConnect clients connect to the ASA. 
- ASA has AnyConnect Client firewall rules that are pushed to the client every time it connects

For split-tunneling rules:
- ASA configured as SSLVPN, IKEv2, or IKEv1 headend.
- ASA has `split-tunnel-network-list` configured to point to an access-list that has inactive entries.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.