Internet Access through Remote Access VPN (AnyConnect) for clients not working

IlyaTaskaev · ‎10-15-2019

Hi, I am looking for some assistance with configuring/troubleshooting our Remote Access VPN settings in part of access Internet through VPN connection.

We use Cisco 5516-x with Firepower Management Center.

We already configured two connection profiles. The first one, with Split tunneling, works perfectly, both the Internet and access to our networks working as they should. Second connection profile with "Allow all traffic over tunnel" in split tunneling option, grant access only to local networks, Internet access through VPN not working, this is what we want to deal with.

We use two providers scheme, ISP1 grants Internet access, with default route metric 1. ISP2 grants VPN access with default route metric 2. I allowed ISP2 to ISP1 traffic with source VPN address pool and destination any addresses in ACL. Also, I created a dynamic NAT rule which should translate IP address from VPN address pool to external IP of ISP1 interface (like I did to NAT traffic from local networks to the Internet).

Also, I tried Packet Tracer with source IP: IP from VPN address pool, dest IP: 8.8.8.8, and it seems OK. PT shows me Allow. But in Real life, it doesn't work for some reason

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ISP1_GW_IP using egress ifc  outside_ISP1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc outside_ISP2 object VPNPool-10.72.1.0-24 ifc outside_ISP1 any rule-id 268436480 
access-list CSM_FW_ACL_ remark rule-id 268436480: ACCESS POLICY: Base Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436480: L7 RULE: VPN_to_Internet
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class_map_AllowAll
 match access-list AllowAll
policy-map global_policy
 class class_map_AllowAll
  set connection timeout idle 1:00:00 embryonic 0:00:30 half-closed 0:10:00 
        idle 1:00:00 
        DCD: disabled, retry-interval 0:00:15, max-retries 5
        DCD: client-probe 0, server-probe 0, conn-expiration 0
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network VPNPool-10.72.1.0-24
 nat (outside_ISP2,outside_ISP1) dynamic interface
Additional Information:
Dynamic translate 10.72.1.5/0 to ISP1_ASA_IP/15209

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 4088964, packet dispatched to next module

Phase: 13
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 14
Type: SNORT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
Session: new snort session
Firewall: allow rule,  'VPN_to_Internet' , allow
Snort id 0, NAP id 2, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 15
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ISP1_GW_IP using egress ifc  outside_ISP1

Phase: 16
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 04b0.e7a8.2a2d hits 10 reference 1

Result:
input-interface: outside_ISP2
input-status: up
input-line-status: up
output-interface: outside_ISP1
output-status: up
output-line-status: up
Action: allow

How can we overcome this issue?

IlyaTaskaev · ‎10-15-2019

I also tried to play with Tunneled checkbox in Static Route options for the default route, but it gave me no effect.

The issue is still opened, any suggestions?

Spoiler

(Optional) For a default route, click the Tunneled checkbox to define a separate default route for VPN traffic.

You can define a separate default route for VPN traffic if you want your VPN traffic to use a different default route than your non VPN traffic. For example, traffic incoming from VPN connections can be easily directed towards internal networks, while traffic from internal networks can be directed towards the outside. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the device that cannot be routed using learned or static routes, is sent to this route. You can configure only one default tunneled gateway per device. ECMP for tunneled traffic is not supported.

(Optional) For a default route, click the Tunneled checkbox to define a separate default route for VPN traffic.You can define a separate default route for VPN traffic if you want your VPN traffic to use a different default route than your non VPN traffic. For example, traffic incoming from VPN connections can be easily directed towards internal networks, while traffic from internal networks can be directed towards the outside. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the device that cannot be routed using learned or static routes, is sent to this route. You can configure only one default tunneled gateway per device. ECMP for tunneled traffic is not supported.

Ioannis Gerokostas · ‎09-30-2022

Hello Ilya,

Did you find a solution i have the same problem

RachelGomez161999 · ‎10-03-2022

Ways to fix-

1. Repair the installation
In the Windows Search bar, type Control and open Control Panel.cisco vpn windows 10 not working
Click Uninstall a program in the bottom left corner.cisco vpn windows 10 not working
Click on the Cisco System VPN client and choose Repair.
Follow the instructions until the installation is repaired.
Let’s start by repairing the installation. Lots of third-party applications tend to break after a major update is administered. That’s why it is always recommended to reinstall them after the update is installed.

Even better, if you want to avoid one of the numerous update/upgrade errors, uninstalling is a viable choice.

However, if you’ve not uninstalled Cisco VPN prior to an update, instead of reinstallation, you should try out repairing the present installation first.

If you’re not sure how to repair the Cisco VPN, follow the steps we provided above.

2. Allow VPN to freely communicate through Firewall
In the Windows Search bar, type Allow an app and open Allow an app through Windows Firewall.
Click Change settings.
Make sure that Cisco VPN is on the list, and it’s allowed to communicate through Windows Firewall.
If that’s not the case, click Allow another app and add it.cisco vpn windows 10 not working
Check both Private and Publicrong> network boxes.
Confirm changes and open the Cisco VPN.
System updates can, quite frequently, change the system settings and preferences to default values. This misdeed, of course, can affect Windows Defender settings as well.

If that’s the case, chances are that lots of third-party apps that require free traffic through the Firewall won’t work. Including the Cisco VPN client.

That’s why we encourage you to check the settings and confirm that the app is indeed allowed in Windows Firewall settings.

3. Tweak the Registry
Right-click on the Start button and open Device Manager.
Expand Network adapters.network adapters
Right-click on Virtual Adapter and update it.
Restart your PC.
Like many other integrating VPN solutions, Cisco VPN comes with the specific associated Virtual Network Adapter. The failure of this device is another common occurrence, and it’s accompanied by the error code 442.

The first thing you can do if this error occurs is checking the Virtual Adapter driver in the Device Manager.

Now, if that fails to resolve the issue, you can try a Registry tweak which seems to address it fully. This requires administrative permission, in order to make changes to Registry.

Furthermore, we strongly suggest treading carefully since untaught meddling with Registry can result in a system failure.

Follow these steps to tweak Registry and repair Cisco VPN:

Type Regedit in the Windows Search bar and open Registry Editor.
Copy-paste the following path in the address bar:
HKEY_LOCAL_MACHINE/SYSTEM/Current/Control/SetServices/CVirtAcisco vpn windows 10 not working
Right-click on the DisplayName registry entry and choose Modify.
Under the Value Data section, make sure that the only body of text which stands is the Cisco Systems VPN Adapter.
For the 64bit version, the text is the Cisco Systems VPN Adapter for 64-bit Windows.
Save changes and try running Cisco VPN again.

Regards,

Rachel Gomez