Hi All,
In order to stem off a flood of questions related to COVID-19, BCP, and VPN questions/comments we are asking that everyone posts them in this thread. We’ll keep this sticky available for the next few weeks. Any other threads related to BCP/VPN will be removed without question. Thanks!

/r/networking Moderators

P.S. - We will remove the TCP/TLS Handshake joke without mercy. Post that in /r/networkingmemes

Methinks this subreddit didn’t have a DR plan so it just locked the existing thread and started one once someone started asking about it.

Sounds a lot like my office, really.

Hope y’all got your SSLVPN vulnerabilities all patched up.

For those who don’t already have a solution, there is free/expanded webex/anyconnect/duo and umbrella:

https://blogs.cisco.com/security/cisco-expands-free-security-offerings-to-help-with-rise-in-remote-workers

https://blog.webex.com/video-conferencing/cisco-webex-supporting-customers-during-this-unprecedented-time/

Dumb question, is BCP business continuity plan in this context?

Split tunneling question:

Cisco ASA, only 10.0.0.0/8 tunneled.

When dialed in Outlook 365 is unable to connect. Also the Active Directory explorer stops working. Seems like it doesn’t realise I am joined to the domain. DNS is working though and I see the domain populated on the interface stats. When I disconnect O365 works and when I use full tunnel everything works.

Any guesses?

How many nexus 9ks can I get for three rolls of toilet paper and a 10oz bottle of hand sanitizer?

At the risk of Mod Abuse! claims, I’d recommend reading this as a good intro to some of the questions that you or your company should be asking in the event of requiring the whole company to WFH:

COVID-19 and Remote Access Questions

Free/Discounted Resources from Vendors:

If you have any additional resources/license extensions/offers from companies, please add them below and I’ll include them in this list!

Does anyone have any docs / kb articles or guidance on configuring something like per-IP traffic policing on an ASA for AnyConnect clients? Essentially the idea would be limit individual connected clients to X mbps per client (i.e. per IP) to prevent individual users from saturating the WAN link on the firewall. Particularly this could be useful for scenarios where full-tunneling is enabled. It might help mitigate the scenario where a few users are running netflix/youtube in the background and monopolizing bandwidth.

I’m honestly at the point where I’m worried that the Residential ISPs won’t have enough infrastructure in place to support many people working from home, at least not for consistent VOIP.

Good idea to focus this stuff here.

/r/sysadmin could do with a similar solution.

I am expanding our Palo Alto Globalprotect gateways to support 1gbps per 500 remote users. We have some pencil plans to expand into Azure if necessary. Network engineers have essential jobs, we must keep the networks and internet online. Netflix/Hulu/carrier engineers I believe in you!

We’re currently using a Meraki MX64 for a network that has outgrown it, which is becoming increasingly problematic as we move toward enabling telework for everyone in the company during the COVID-19 outbreak. I’m currently leaning toward an MX84, but would like to hear suggestions from the community. We’re sitting at around 200 clients internally on a daily basis, and I imagine around 30-40 people will work from home if/when the decision is made to do so.

I’m interested in your suggested alternatives to the MX84. I would like to stay away from a lot of CLI, as the cloud managed solution has been very helpful. This isn’t my only gig, so I try to keep things as simple and hands-off as possible, where I can, and want to maintain NG FW features.

So far, I have only taken a cursory look at pfSense/Netgate. Sentiments I’ve read seem high, but reddit has always been a great way to crowdsource experienced opinion, and I’d love to hear yours.

LogMeIn is offering 3 months of free org-wide use of many of their products geared toward remote work: https://www.gotomeeting.com/work-remote

Pulse Secure Shop Information:

We just purchased two ICE licenses for our A/P cluster. Pulse gave a nice discount (about 50% off) for them. We were given two 'temporary" ICE licenses to use until Pulse processes the “right to use” and gives us the permanent licenses. For those that may not know, an ICE (in case of emergency) allows you to burst your appliance to max. capacity (for us, that is 2,500 users) for a period of 8 weeks.

TIL today:

1. The temporary ICE licenses start ticking the moment you add them! They don’t have a start/stop function like a permanent ICE license. You may want to wait to apply them when you actually need them vs. having them ticking down like I did.
2. Not sure if anyone else has thought this through, but with TWO ICE licenses, you get the opportunity to use them one at the time by switching the active to passive > passive to active (not sure if that part is even required yet as it may just pull from the total pool of licenses).
3. With permanent ICE licenses, you have the option to start/stop the timer. That said, if your user count drops below your original license count, you can stop/start the ICE license based on user demand. This can extend your ICE license for a longer period of time if you are willing to stay on top of user count. I’m working on getting a SEIM alert configured for our total user count to help us manage this.

Couple questions around an expanded address pool and NAT for Anyconnect VPN:

​

1. Do I need the first line (inside to out) when I have the 2nd, for a hairpin NAT? I dont need nat going inbound. Found we had to add the 2nd line where the first worked before for hairpin (different IP space for pool)

nat (inside,outside) source static any any destination static vpn-pool vpn-pool no-proxy-arp route-lookup

nat (outside,outside) source dynamic vpn-pool x.x.x.x destination static ANY-Out ANY-Out (x.x.x.x is out outside interface IP)

​

2. Anyone know of a reason why an VPN pool will under load quit handing out addresses for VPN? We went from a /23 to a /20 last night, at 7am this morning it quit handing out IPs. All I can think of is defect, as we didnt recreate the pool, just modified it from subnet A to subnet B. Changing it back, fixed it instantly.

If you are looking to scale your VPN infrastructure you may want to take a look at leveraging public cloud. It is going to be nearly impossible to purchase, receive, install and put new firewalls or VPN appliances into production. Need to upgrade your Internet circuit? Forget about it. Even if you aren’t using public cloud, this is a really good use case.

There are a few ways to do this with AWS, Azure, and GCP.

For AWS, check out the video on using AWS for corporate VPN, this is from re:Invent in 2015: https://www.youtube.com/watch?v=EqVpsnAen5I
For Azure, the virtual WAN architecture using a P2S VPN client combined with ExpressRoute to the data center can work as well: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-global-transit-network-architecture#globalnetworktransit

Rumor has it if you put a roll of toilet paper in your MDF, you’re automatically protected from any vulnerabilities.

We use fortigate for our VPN, Anybody knows how to avoid downloading from their slow installer/downloader for the VPN client?