topic AnyConnect client broadcasts cause Asymmetric NAT log messages in Network Security

AnyConnect client broadcasts cause Asymmetric NAT log messages

lcaruso — Tue, 12 Mar 2019 03:06:02 GMT

Hi,

I'm trying to figure out if this is a cosmetic issue/bug or if there really is a problem. For all broadcasts, I get the aymmetric nat error

For example, AC client logged in with address .1 broadcasts to .255 on port 137

10.245.103.1 137 10.245.103.255 137

5 Nov 16 2013 18:42:02 305013 10.245.103.1 137 10.245.103.255 137 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.245.103.1/137(LOCAL\username) dst outside:10.245.103.255/137 denied due to NAT reverse path failure

These VPN users are reporting issues with not being able to resolve WINS names. The WINS server is configured under the profile.

Any insight appreciated. Thanks.

Cisco Adaptive Security Appliance Software Version 9.1(2)

Device Manager Version 7.1(3)

AnyConnect client broadcasts cause Asymmetric NAT log messages

Marius Gunnerud — Sun, 17 Nov 2013 09:19:53 GMT

Are all IPs that are to be sent over the VPN tunnel included in the NAT exempt?

Could you please post a full sanitized running config for the ASA.

Please rate all helpful posts

AnyConnect client broadcasts cause Asymmetric NAT log messages

lcaruso — Sun, 17 Nov 2013 15:13:58 GMT

Hi,

Thanks for responding. I do have all addresses involved nat exempt.

I now have a TAC case open on this. They have commented they think it is cosmetic possibly a bug, but they have taken a show tech and will get back to me.

I'll post their findings.

AnyConnect client broadcasts cause Asymmetric NAT log messages

jumora — Tue, 19 Nov 2013 05:18:31 GMT

If you can add a VPN filter that should resolve the problem, I had something similar on an IPSec VPN connection

This was a note that I saw and was made me configure VPN filter.

Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic covered by such a permit entry could include multicast or broadcast traffic, insert deny entries for the appropriate address range into the access list. Remember to insert deny entries for network and subnet broadcast traffic, and for any other traffic that IPsec should not protect.

AnyConnect client broadcasts cause Asymmetric NAT log messages

jumora — Tue, 19 Nov 2013 05:19:02 GMT

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html

And I think it is the same

AnyConnect client broadcasts cause Asymmetric NAT log messages

Marius Gunnerud — Tue, 19 Nov 2013 08:12:43 GMT

I agree with jumora here about using the any keyword.

If at all possible use specific subnets when configuring the crypto ACLs.

AnyConnect client broadcasts cause Asymmetric NAT log messages

jumora — Tue, 19 Nov 2013 17:02:12 GMT

Did you run with the VPN filter option?

Hi

ilukeberry — Wed, 16 Nov 2016 10:38:54 GMT

I'm having the same problem.. how did you solved it ?

Re: Hi

Jesper Erbs — Wed, 12 Feb 2020 11:18:11 GMT

I solved a similar issue by creating a nat exempt rule on the outside interface, where the source and destination is the Anyconnect VPN pool.

nat (outside,outside) source static Anyconnect-VPN-FP Anyconnect-VPN-FP destination static Anyconnect-VPN-FP Anyconnect-VPN-FP no-proxy-arp

The issue occurs, because none of your nat rules on the outside interface matches a traffic pattern with the anyconnect pool as source and destination.