Cisco VPN will not work with running CPF

Hello,

I can’t find anything about my problem in this forum. If I try to connect to a VPN server via the Cisco VPN Client, I won’t get any connection. CPF shows in the logs, first that fragmented ip packets are not allows and then I allowed them and hope, my computer is still save.
But the second log entry has the following reason:

Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packets)
Reason: UDP packet length and the size on the wire (2008 bytes) do not match

And I’m sure, I don’t have any malware or spyware on my computer. And I don’t want to disable the protocol analysis.

What can I do?

G’day and welcome to the Comodo forums.

As follows are some Application Monitor rules, Network Monitor rules and Advanced settings that have been tested and proven successful with Cisco’s VPN. No guarantee that they will work in your environment, however, but it’s a good starting point.


Application Control Rules (SECURITY-APPLICATION MONITOR)

  1. Application
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    Parent
    C:\WINDOWS\system32\services.exe
    General
    Allow, TCP/UDP, In/Out
    Destination IP
    Any
    Destination Port
    Any
    Miscellaneous
    Check Allow invisible connection attempts AND Skip Advanced Security Checks

  2. Application
    C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    Parent
    C:\WINDOWS\explorer.exe
    General
    Allow, TCP/UDP, In/Out
    Destination IP
    Any ( Or the IP Addr’s of the initial contact point)
    Destination Port
    Any
    Miscellaneous
    Check Allow invisible connection attempts AND Skip Advanced Security Checks

  3. Application
    C:\Program Files\Cisco Systems\VPN Client\ipseclog.exe
    Parent
    Skip Parent
    General
    Allow, TCP/UDP, In/Out
    Destination IP
    Any
    Destination Port
    Any
    Miscellaneous
    Check Allow invisible connection attempts AND Skip Advanced Security Checks

  4. Application
    C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    Parent
    Skip Parent
    General
    Allow, TCP/UDP, In/Out
    Destination IP
    Any
    Destination Port
    Any
    Miscellaneous
    Check Allow invisible connection attempts AND Skip Advanced Security Checks


Network Control Rules (SECURITY-NETWORK MONITOR)

Action: Allow
Protocol: UDP
Direction: In
SourceIP: Any
Destination IP" Single IP (127.0.0.1)
Source Port: Any
Destination Port: Any


On the Advanced Box / Miscellaneous (SECURITY-ADVANCED)

Uncheck “Do Packet Checksum Verification”


Hope this helps,
Ewen :slight_smile:

Hello Ewen,

thank you very much for your posting. Before I configured the firewall as you described it, I got the log messages für a special ip adress and the same entries with the same ip adress and port 4500 (xxx.xxx.xxx.xxx:4500).
Now, after the configuration, the log entries only show the blocked ip adresses with port 4500. The reason is the UDP packet length again.

I did all steps you told me (port: any). Have you any idea what the reason could be?

You could try turning off “Do packet analysis” in SECURITY-ADVANCED-ADVANCED ATTACK PREVENTION AND DETECTION-MISCELLANEOUS

Hope this helps,
Ewen :slight_smile:

Hello,

I have a “Do protocol analysis” option there and if I uncheck this, Cisco VPN will work, but I’m not sure, if my system will be save when it’s deactivated.

The protocol analysis check compares the packet structure against the defined standards. Some apps deliberately send malformed packets, or use a non-standard characteristic. There is no rule that says you HAVE to stick to standards, btu it’s be really handy if everyone did, though. :wink:

You could simply turn this option on or off as needed.

Cheers,
Ewen :slight_smile:

Thank you! That’s great. :slight_smile: