Symptom

FMC has in each tunnel configuration and Remote access configuration the ability to enable or disable that Bypass Access Control policy for decrypted traffic. So to the end user it looks like you can simply enable and disable per VPN configuration. But that command "sysopt connection permit-vpn" is a global command. Which needs to be completely on or off to work. Sysopt permit-vpn is not currently a per VPN command as it looks in the current FMC GUI.

Conditions

1)Using the FMC as the manager for the FTD 2)FTD/ASA using FTD image 3)Site-2-Site or Remote Access configuration 4)Box check for Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)

Workaround

There is currently no work around. The sysopt permit-vpn must be enabled globally or not at all.

Further Problem Description