cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3916
Views
0
Helpful
6
Replies

AnyConnect VPN - connects but no traffic

rwills
Level 1
Level 1

I am trying to configure an Anyconnect VPN.  The wizard failed miserably, and I have been trying to get it to work for a few hours now.  It will connect, but no traffic is passing.  I had been getting error messages in the log, but now that I fixed (I think) split tunneling, I am not seeing any traffic from my machine on the SSL VPN hitting the logs.  I see the connection and disconnection traffic, but nothing when I try to ping or RDP.  I am out of ideas.  Here is the relevant config.

 

 


ip local pool SSLVPN-Pool 10.173.0.2-10.173.0.254 mask 255.255.255.0

 


object network SGR-Servers
 subnet 10.172.0.0 255.255.255.0
object network InternetAccess
 subnet 10.172.0.0 255.255.0.0
object network SSLVPN-Anyconnect
 subnet 10.173.0.0 255.255.255.0
object network NETWORK_OBJ_10.173.0.0_24
 subnet 10.173.0.0 255.255.255.0
object network NETWORK_OBJ_10.172.0.0_24
 subnet 10.172.0.0 255.255.255.0

access-list Outside_access_in extended permit ip object SSLVPN-Anyconnect object SGR-Servers
access-list Outside_access_in extended permit tcp any interface Outside eq https
access-list Inside_access_in extended permit ip object SGR-Servers any
access-list Inside_access_in extended permit ip 10.172.0.0 255.255.255.0 object SSLVPN-Anyconnect
access-list SSLVPN-SplitTunnel extended permit ip object SGR-Servers object SGR-Servers
access-list SSLVPN-Split-Tunnel standard permit 10.172.0.0 255.255.255.0

mtu Outside 1500
mtu Inside 1500
mtu management 1500


nat (Inside,Outside) source static NETWORK_OBJ_10.172.0.0_24 NETWORK_OBJ_10.172.0.0_24 destination static NETWORK_OBJ_10.173.0.0_24 NETWORK_OBJ_10.173.0.0_24 no-proxy-arp route-lookup
nat (Inside,Outside) source static SGR-Servers SGR-Servers destination static NETWORK_OBJ_10.173.0.0_24 NETWORK_OBJ_10.173.0.0_24 no-proxy-arp route-lookup
!
object network InternetAccess
 nat (Inside,Outside) dynamic interface
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside

 


webvpn
 enable Outside
 hsts
  enable
  max-age 31536000
  include-sub-domains
  no preload
 anyconnect image disk0:/anyconnect-macos-4.8.02042-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.8.02042-webdeploy-k9.pkg 2
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 vpn-filter value Outside_cryptomap
 vpn-tunnel-protocol l2tp-ipsec ssl-clientless
group-policy GroupPolicy_AnyConnectSSLVPN internal
group-policy GroupPolicy_AnyConnectSSLVPN attributes
 wins-server none
 dns-server value 10.172.0.5 4.2.2.2
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SSLVPN-Split-Tunnel
 default-domain value lawfirmllp.net
dynamic-access-policy-record DfltAccessPolicy

tunnel-group AnyConnectSSLVPN type remote-access
tunnel-group AnyConnectSSLVPN general-attributes
 address-pool SSLVPN-Pool
 default-group-policy GroupPolicy_AnyConnectSSLVPN
tunnel-group AnyConnectSSLVPN webvpn-attributes
 group-alias AnyConnectSSLVPN enable
!
class-map inspection_default
 match default-inspection-traffic
!

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I looking at your config quickly through my phone and everything seems ok except the vpn filter.
You mentioned an acl Outside_cryptomap as vpn filter. Can you share it please to see what is allowed with this acl?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

Francesco Molino
VIP Alumni
VIP Alumni
Hi

I looking at your config quickly through my phone and everything seems ok except the vpn filter.
You mentioned an acl Outside_cryptomap as vpn filter. Can you share it please to see what is allowed with this acl?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Here they are, but those are used by a site-to-site VPN. They shouldn't be referenced by the Anyconnect VPN.

Access-list Outside_cryptomap extended permit ip object SGR-10-172 object-group SGR-OfficeSubnets
Access-list Outside_cryptomap extended permit ip object-group SGR-OfficeSubnest object SGR-10-172


Sorry misred it.
Can you do a packet-tracer to see where it blocks?
The command will be:
packet-tracer input inside icmp ip-host-inside 8 0 ip-host-anyconnect

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Can we verify the operation of split tunneling for AnyConnect? With AnyConnect connected would you look into the routes tab and share with us what secured routes are sent via vpn and what is just sent to the Internet without vpn?

HTH

Rick

You were right.  This filter was applied in both places, when it should have only been applied to the IPSEC VPN. Setting vpn-filter none fixed the issue.

Thanks for the update. Glad that you have solved the problem and that our suggestions pointed you in the right direction.

HTH

Rick

Review Cisco Networking for a $25 gift card