Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
0

AnyConnect VPN issue

Hi all,

Slightly strange AnyConnect issue, well two in fact.

We have it set up for split tunnellin Included in the split tunnel is

  1. Our head office subnets (10.1.0.0/16) where the ASA is located

  2. Our azure VNET (10.2.0.0/16) We have a site to site VPN between HO and Azure.

Problem 1: When connected via AnyConnect I get to literally anything in the HO subnet apart from the firewall. It doesn’t ping on any interface or sub interface. I put in a management rule as I needed to temporarily be able to do configuration over the VPN and that doesn’t work. The interfaces are in the same subnets I can get to. For example on the inside interface the IP is 10.1.252.2 which I can’t get to. However I can get to 10.1.252.1 which is the switch connected to it.

On the asa there is a route for the 10.1.0.0/16 network with a next hop if the switch stack which does the inter-VLAN routing. However as the interface addresses Willa Leo be in the route table as directly connected I can’t see this been the issue.

Problem 2: I am unable to route the the Azure network

I have put an outside to outside NAT exemption in for the traffic

I have put a firewall rule in to allow the connection

I have enabled same-security permit intra-interface.

Any ideas on either issue would be greatly appreciated

TIA Ben

8 comments
50% Upvoted
What are your thoughts? Log in or Sign uplog insign up
2 points · 4 days ago · edited 4 days ago

Have you added the VPN pool to a ssh/http rule on the firewall, or are you using a VPN pool inside that /16?

Original Poster1 point · 4 days ago

No I added the vpn pool for both https and ssh.

But I can’t ping it either

What code are you running on the ASA? There was a "recent" change to the way ASA's handle routing for the interfaces marked as management only.

Original Poster1 point · 4 days ago

9.8(3)

It's going to be difficult to tell you with out looking at the config. Can you post a sanitized version?

Hi, it does sound like you know exactly all the things to check. Best is to post us a sanitised config. But FYI I just connected to one of my ASAs to double check the config. I vpn to the outside IP. I have #management-access inside configured. A route for the VPN pool via the outside interface, and an SSH statement allowing the VPN pool ip to the INSIDE interface only. So double check that first. For your azure traffic, can you look as the asdm monitor while testing, and also do a packet tracer input command. It may also help you if you do a capture:

Capture test interface inside match ip host X any
Capture test real-time
Original Poster1 point · 3 days ago

Thanks all

I’ll grab a sanitised config today and post it.

Original Poster1 point · 3 days ago

Hi all

I’ve managed to fix this now. Like most of these weird issues it was something stupid.

Basically in the NAT statements I hadn’t put route lookup on the end. Added this and it it’s fixed both issues.

Thanks for everybody’s input

Appreciated Ben

Community Details

123k

Subscribers

1.3k

Online

###Enterprise Networking Routers, switches and firewalls. Network blogs, news and network management articles. Cisco, Juniper, Brocade and more all welcome.

Create Post
r/networking Rules
1.
Rule #1: No Home Networking.
2.
Rule #2: No Certification Brain Dumps / Cheating.
3.
Rule #3: No BlogSpam / Traffic re-direction.
4.
Rule #4: No Low Quality Posts.
5.
Rule #5: No Early Career Advice.
6.
Rule #6: Educational Questions must show effort.
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.