Reset Search
 

 

Article

KB21644 - Is there a VPN Tunneling Access Control List (ACL) limit and how can it be calculated and optimized?

« Go Back

Information

 
Last Modified Date11/20/2015 6:10 PM
Synopsis
This article provide information about the limitations with VPN Tunneling Access Control List and how to calculate and optimize the ACL count.
Problem or Goal
The Network Connect and Pulse Secure Client(s) are unable to establish a connection and obtain an Internet Protocol (IP) address if the number of ACL(s) have exceeded the recommended limit. This article provides information about the VPN tunneling ACL limitations, how the ACL(s) can be calculated and optimized.
Cause
When a VPN tunnel is created to a Pulse Connect Secure device the following occurs:
  1. The VPN user ACL(s) are converted into an iptables rule.
  2. The iptables rule is added to the PCS device’s kernel iptables module. 
  3. The PCS will generate a single set of ACL(s) for all users with the same combination of ACL polices. 
  4. The PCS appliance will periodically calculate the number of ACL(s) for the active VPN tunnels and print this information in the user access log.
 
Once the ACL count for the active VPN tunnels exceed the recommended ACL Count, 60K, the following two issues may result:
  1. The VPN tunneling clients, Network Connect and Pulse Secure Client, will be unable to establish a connection and obtain an Internet Protocol (IP) address.
  2. The ACL count printed in the user access logs may become out of sync with the iptables module and may not be accurate. 
Solution

To avoid log sync issues, memory exhaustion, or the inability to create new VPN tunnels, it is important to monitor the ACL count in the user access logs (System > Log/Monitoring > User Access) to ensure that it does not exceed 60,000.  The ACL count will be updated after each VPN user logs in.  

Example:
Info ERR24670 2011-08-17 01:37:19 - ive - [192.168.20.10] PulseSecure\test(PCS)[TEST] - Network Connect: ACL count = 10.

Starting in 8.2R1 or above, a new feature called Access Control List (ACL) Count Enforcement will deny new VPN Tunneling after the 60,000 ACL limit has been exceeded.  To enable this feature, navigate to System > Configuration > VPN Tunneling and click on the Enable option.  By default, this option is disabled.
 

What is the purpose of ACLs and how do they work?
 
The VPN Tunneling ACL is resource policy that controls resources users can connect to when using VPN tunneling. In the admin console, choose Users > Resource Policies > VPN Tunneling > Access Control.When a VPN tunnel connection is made to a Pulse Connect Secure(PCS) device, ACL(s) are converted into an iptables rule and added to the PCS device’s kernel iptables module. The kernel evaluates these rules before determining whether to allow the transmission of any packet to or from a vpn client or a backend resource.
 
Two iptables rules are generated for each ACL entry:

  • The first iptables rule governs traffic destined for backend servers
  • The second iptables rule governs the response back to the client.

How is the ACL count determined?
For optimization, Pulse Connect Secure will generate a single set of ACLs for all users with the same combination of ACL policies.  
Consider the following example of ACL configurations: 

  • 5 ACLs apply to ROLE1
  • 5 ACLs apply to ROLE2
  • 5 ACLs apply to ROLE3
In this example, imagine a PCS has just one active VPN connection, and this connection is from a user mapped to ROLE1 and ROLE2.  In this case, the ACL count is (5 + 5) = 10.   If a second user who is also mapped to ROLE1 and ROLE2 creates a VPN connection, then the ACL count will remain at 10.  However, if a third user who is mapped to ROLE1 and ROLE3 establishes a VPN connection to the gateway, then the ACL count will increase by 10 for a total of 20 ACLs. If the PCS administrator configures many role mapping rules and VPN client users are connecting with a variety of unique roles combinations, then the ACL count for VPN Tunneling will quickly increase in size.

If multiple users are logged in using the same combination of ACLs, ACL count will remain constant until all applicable users have logged out from the system.  If we refer to the previous example, if multiple users are mapped to ROLE1 and ROLE2, the ACL count will remain 10 until all users mapped to ROLE1 and ROLE2 have logged out.  Also note that any modifications to the ACL policies with a high ACL count should be carefully considered before applying any changes.  Any ACL modification only applies to VPN connections established after the ACL policy change.  As such, ACL count will increase due to the new set of ACLs until all users associated with the old ACL set has completely logged out.

What can I do to restore VPN client connectivity?
Reboot the PCS appliance as this will remove existing iptable rules in the system and clean up the kernel memory. This is only a short-term resolution. If no action is taken to reduce the total number of ACL(s) and unique ACL combinations for each user, then this issue will again re-occur. Please see remediation steps listed in the next section below to prevent re-occurrence. 

How can I prevent these issues from re-occurring again in the future?
Apply the suggested ACL optimization changes listed below during non-peak hours. This will reduce the amount of ACL(s) which can be generated on the PCS. 
  1. Make sure to have all users disconnect any active VPN connections (if possible) before applying any ACL optimization changes.
  2. Review your role mapping rules and try to minimize the total number of rules or unique combinations possible for each user.
  3. Use subnet masks such as 192.168.20.0/24 and 192.168.21.64/28.
  4. Use port range such as 1024-65535, instead of multiple single port configured if can be contiguous.
  5. Use the port combination in one line such as tcp://*:80,443, instead of each line as tcp://*:80 and tcp://*:443.
  6. If the optimization is done during a maintenance period, it is recommended to restart services after modifying the configuration settings.
Note:  Using dashes and commas in single line is not allowed.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255