Cisco AnyConnect & VPN-based appliances stop working when PF scrub is disabled



  • In case anyone has trouble with Cisco AnyConnect or a VPN-based appliance like Avaya VPN Phones or T-Mobile CellSpot - On my pfSense 2.4.x, I had been having the same symptoms as described in an old post:

    https://forum.pfsense.org/index.php?topic=65619.0

    … in that example, the fix was to change a setting in the rule on the interface "state type" to "sloppy".  However that wasn't working for me, also the post was from a development branch of 2.1.

    Turns out my culprit is "Disable Firewall Scrub" was checked (meaning PF scrubbing was disabled).  When I unchecked the option, I was able to make VPN connections from Cisco AnyConnect as well as a T-Mobile CellSpot.  Both devices were not working.

    If you have a smiliar issue, where you see traffic going outbound across your interface and it's PERMITted, but the return traffic across the WAN hits the "Deny IPv4 Rule" - this may be an option to look into for troubleshooting.

    I had been working on this for 3 months - turns out to be a single checkbox.  However, I do not know why this works properly when scrubbing is enabled, but fails to work when it's disabled.  This problem persisted in bridged (transparent) mode as well as routed mode.



  • Well PF Scrub has to do with cleaning packets so things are by-the-book.  Apparently you have unclean packets and VPN encryption with emphasis on the encryption part, security, didn't like things being dirty, like that TSA guy at the airport saying, if your name ain't spelled EXACTLY he is not letting you through, to him Elizabeth and Betty are two different persons :)