10-03-2023 10:27 AM
When I attempt to connect via AnyConnect to VPN, I get through authentication, but the ASA never responds that connection is complete.
If I change the dACL to permit IP Any Any, the connection works just fine. However, as soon as I add any other lines in the dACL, the problem happens again. I understand that once I add a line, there is an implicit deny.
What I'm trying to discover here is:
1. Is there something I have to configure in the ASA connection profile (Tunnel-group) to make this work?
2. Is there a line I'm missing in the dACL?
3. Is there something in the Authorization Profile that I'm missing?
Solved! Go to Solution.
10-04-2023 05:53 AM
Karsten Iwen wrote
There are different limitations that can apply based on RADIUS and the switch-model:
https://community.cisco.com/t5/network-access-control/dacls-in-ise/td-p/2869666
10-03-2023 11:06 AM
@DannyDulin is the syntax of the DACL correct?
Turn on debugs and provide the output - debug aaa authorization
10-03-2023 12:00 PM
Thanks Rob.
I think I found the solution. There seems to be a size limit to the dACL. I systematically removed rules until it started to work. I had a lot of spacing and a lot of Remarks, when I adjusted everything connectivity started to work as expected.
10-04-2023 05:53 AM
Karsten Iwen wrote
There are different limitations that can apply based on RADIUS and the switch-model:
https://community.cisco.com/t5/network-access-control/dacls-in-ise/td-p/2869666
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide