Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2360
Views
0
Helpful
8
Replies

AnyConnect client broadcasts cause Asymmetric NAT log messages

lcaruso
Level 6
Level 6

‎11-16-2013 04:50 PM - edited ‎03-11-2019 08:06 PM

Hi,

I'm trying to figure out if this is a cosmetic issue/bug or if there really is a problem. For all broadcasts, I get the aymmetric nat error

For example, AC client logged in with address .1 broadcasts to .255 on port 137

10.245.103.1    137    10.245.103.255    137   

5    Nov 16 2013    18:42:02    305013    10.245.103.1    137    10.245.103.255    137    Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.245.103.1/137(LOCAL\username) dst outside:10.245.103.255/137 denied due to NAT reverse path failure

These VPN users are reporting issues with not being able to resolve WINS names. The WINS server is configured under the profile.

Any insight appreciated. Thanks.

Cisco Adaptive Security Appliance Software Version 9.1(2)

Device Manager Version 7.1(3)

Labels:
0 Helpful
8 Replies 8

Marius Gunnerud
VIP
VIP

‎11-17-2013 01:19 AM

Are all IPs that are to be sent over the VPN tunnel included in the NAT exempt?

Could you please post a full sanitized running config for the ASA.

--

Please rate all helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

lcaruso
Level 6
Level 6
In response to Marius Gunnerud

‎11-17-2013 07:13 AM

Hi,

Thanks for responding. I do have all addresses involved nat exempt.

I now have a TAC case open on this. They have commented they think it is cosmetic possibly a bug, but they have taken a show tech and will get back to me.

I'll post their findings.

0 Helpful

jumora
Level 7
Level 7
In response to lcaruso

‎11-18-2013 09:18 PM

If you can add a VPN filter that should resolve the problem, I had something similar on an IPSec VPN connection

This was a note that I saw and was made me configure VPN filter.

Use care when using the any keyword in permit entries in dynamic crypto maps. If the traffic covered by such a permit entry could include multicast or broadcast traffic, insert deny entries for the appropriate address range into the access list. Remember to insert deny entries for network and subnet broadcast traffic, and for any other traffic that IPsec should not protect.

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to jumora

‎11-18-2013 09:19 PM

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ike.html

And I think it is the same

Value our effort and rate the assistance!
0 Helpful

Marius Gunnerud
VIP
VIP
In response to jumora

‎11-19-2013 12:12 AM

I agree with jumora here about using the any keyword. 

If at all possible use specific subnets when configuring the crypto ACLs.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

jumora
Level 7
Level 7
In response to Marius Gunnerud

‎11-19-2013 09:02 AM

Did you run with the VPN filter option?

Value our effort and rate the assistance!
0 Helpful

ilukeberry
Level 1
Level 1
In response to lcaruso

‎11-16-2016 02:38 AM

Hi

I'm having the same problem.. how did you solved it ?

0 Helpful

Jesper Erbs
Level 1
Level 1
In response to ilukeberry

‎02-12-2020 03:14 AM - edited ‎02-12-2020 03:18 AM

I solved a similar issue by creating a nat exempt rule on the outside interface, where the source and destination is the Anyconnect VPN pool.

nat (outside,outside) source static Anyconnect-VPN-FP Anyconnect-VPN-FP destination static Anyconnect-VPN-FP Anyconnect-VPN-FP no-proxy-arp

 

The issue occurs, because none of your nat rules on the outside interface matches a traffic pattern with the anyconnect pool as source and destination.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card