Rocket U2 | UniVerse & UniData

 SB Client VPN and Cisco Firewall

Jump to Best Answer
posted 04-15-2021 16:53

Good Evening all.

hopefully the collective minds on here will help with a conundrum i have

We have for several years been using Watchguard for our Firewalls and the remote users happily instigated  a Windows PPTP VPN connection and used their SB Client to access our Universe DB

However, in light of a security review and the current increased security threats that blight our everyday activity, we have now deployed Cisco 1140 firewalls (in place of the Watchguards) and rolled out Cisco Anyconnect to enable the new VPN connection and remove the Windows PPTP security issues

This has created a few issues in that some of the remote users intermittently lose their SB Client Telnet Connection and leave a dead session on the server.

Not only is this tiresome for the users it could potentially lead to data loss.

We did not have this issue with the Windows VPN connected to the Watchguards

So my question is does anyone else out there use SB Client (Telnet) via an Cisco Anyconnect managed VPN / Firewall ? and what additional config did you need to deploy on the SB Client /  Cisco Firewall or UV Server to ensure the SB Client session did not drop out

for reference we are using SB Client V6.3.1 and are connecting to a UV database on 11.2.5

I'd be grateful for any suggestions you may have to resolve this and any other suggestions for suitable secure methods of enabling an SB Client Telnet Connection that does not rely on a PPTP VPN

Many Thanks

Andy

PARTNER Best Answer
Hi Andy,

Here is the documentation for what we use:

ASDM Book 2: Cisco ASA Series Firewall ASDM Configuration Guide, 7.9

See below for a screen shot of ours.

Henry
PARTNER
We've been using Cisco AnyConnect for years to connect to UniVerse via telnet and ssh without a problem, using our own telnet/ssh client as opposed to SB Client. I can't imagine what would be in SB Client that would cause an issue running over a Cisco AnyConnect VPN. We're using AnyConnect in conjunction with TOTP to provide additional security.

You do want to ensure that there are no timers configured in the Cisco 1140 that would terminate the TCP socket based on connect time or idle time. We have seen connections being unceremoniously terminated with such timers.

You may want to run Wireshark on the client side and on the server side to see what's happening.

Thanks Henry,

that is very helpful 

As the Cisco 1140 is one of the new breed of Firewalls, and mainly uses a GUI to update the config, I don't suppose you or your colleagues can steer us in the direction of which TCP timer settings we should start to update ??

We have Wireshark running on the Universe server and Cisco AnyConnect Dart running on a couple of the clients

we can see the failures but not yet the root cause

,Many thanks

Andy

Hello Andy

We use Cisco AnyConnect Secure Mobility Client. We have many thousand of SBClient connections over this Cisco VPN connections with no issue.
A little while ago, our security team decided to implement stricter security measures resulting in 100's of SBClient connection being lost a day.
The Idle Timeout Policy was changed to 10 minutes. Is it possible your 1140 has an idle timeout policy that is causing your issue?

Nik Kesic

Thanks Henry and Nik,

changing the timeout has worked and not had any drop outs all week.

Thanks again for your help

Andy