Blocking QUIC Application Leads to Impacted Performance for Cisco AnyConnect VPN

Blocking QUIC Application Leads to Impacted Performance for Cisco AnyConnect VPN

26604
Created On 01/24/21 00:54 AM - Last Modified 07/22/23 03:55 AM


Symptom


  • Deployments involving Palo Alto Networks firewalls, with Security Policy to Deny QUIC traffic (app-id QUIC) traffic, while Cisco AnyConnect VPN traffic is traversing the firewall.
  • In doing so, Cisco AnyConnect users experience an immediate disconnect and and reduced speed for new connections.
Note: QUIC traffic (app-id QUIC), has improved security over TLS (app-id SSL) in order to mitigate loss of visibility with decryption.

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1
  • Security Policy
  • Quic Application
  • Cisco AnyConnect VPN

Cause


  • Cisco AnyConnect relies on DTLS, which is similar to QUIC (UDP port 443) and is a secure protocol, designed to be equal to TLS, that is specifically for UDP traffic.
  • As soon as a security rule to block QUIC is in place, this critical DTLS traffic is also blocked leading to the problem.
Picture of Security Policy Rule with Cisco AnyConnect Slowness
 
 

Resolution


  1. Create an additional security policy rule above the QUIC security policy, to allow UDP for port 443 and app-id DTLS.
  2. Commit the changes.
Picture with DTLS security policy
 
 

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCZOCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail