Cisco Bug: CSCuo03569 - VPN client firewall and split-tunneling mishandle "inactive" acl rules
Nov 27, 2020
- Cisco Adaptive Security Appliance (ASA) Software
Known Affected Releases
Symptom: If the access-list has inactive entries [i.e. an access-list entry is disabled through ASDM - show access-list <name> | include inactive], they are sent as part of the client-side firewall or split-tunneling rules. Conditions: For client-side firewall rules: - ASA is configured as SSLVPN / IKEv2 server, and AnyConnect clients connect to the ASA. - ASA has AnyConnect Client firewall rules that are pushed to the client every time it connects For split-tunneling rules: - ASA configured as SSLVPN, IKEv2, or IKEv1 headend. - ASA has `split-tunnel-network-list` configured to point to an access-list that has inactive entries.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases