Symptom
active-directory tcp/389 ldap port traffic may be wrongly classified as ms-teams when the following or similar data policy construction is being used:
from-vsmart data-policy VPN_Traffic-Data-Policy-v1-11
direction from-service
vpn-list VPN
sequence 11
match
source-ip 0.0.0.0/0
app-list Teams-Skype-Lync
action accept
count teams_counter_00000
nat use-vpn 0
nat fallback
set
local-tloc-list
color biz-internet
encap ipsec
...
Conditions
data policy configured to redirect ms-teams traffic to the internet (DIA). 17.3 branch is not affected.
Workaround
insert sequence to bypass DPI inspection for active-directory destinations, e.g:
from-vsmart data-policy VPN_Traffic-Data-Policy-v1-11
direction from-service
vpn-list VPN
sequence 1
match
destination-port 389
protocol 6
action accept
sequence 11
match
source-ip 0.0.0.0/0
app-list Teams-Skype-Lync
action accept
count teams_counter_00000
nat use-vpn 0
nat fallback
set
local-tloc-list
color biz-internet
encap ipsec
or exclude all RFC1918 destination address space, this will also positively affect DPI engine performance because less traffic to be processed by it
Further Problem Description
