cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1389
Views
0
Helpful
3
Replies

Anyconnect Configuration for Vendor Access, DNS Packets dropped udp 38 Drop-reason: (no-adjacency) No valid adjacency

I am helping a client create a Vendor VPN on a 5515 ASA.  They will be limited to a single subnet but need access to one internal IP address for internal DNS.  We have the ACL's in place but DNS will not work.  I did an asp-drop packet capture and am getting:

1: 18:38:54.679896 192.168.211.236.60493 > 192.168.98.111.53: udp 38 Drop-reason: (no-adjacency) No valid adjacency

2: 18:38:54.855866 192.168.211.236.58715 > 192.168.98.111.53: udp 38 Drop-reason: (no-adjacency) No valid adjacency

I have done some google searches and have not found anything helpful yet.

192.168.211.236 = Client VPN IP

192.168.98.111 = Internal DNS server

Let me know what parts of the configuration I need to provide.

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

Let's assume your interface where VPN users are coming in is named outside.

Can you run the following command please:

- packet-tracer input outside udp 192.168.211.236 1234 192.168.98.111 53 decrypted

 

Also can you share output of following commands:

- sh ip

- sh route

- sh nat

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thank you for your response.  Here is the information you requested.

 

packet-tracer input outside udp 192.168.211.236 1234 192.168.98.111 53 detailed  (no option for decrypted)

 

Phase: 1

 

Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f66482b8fb0, priority=1, domain=permit, deny=false
hits=118647118856, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Vendor,outside) source static any any destination static VENDOR-VPN-USERS_POOL-192.168.211.224 VENDOR-VPN-USERS_POOL-192.168.211.224
Additional Information:
NAT divert to egress interface Vendor
Untranslate 192.168.98.111/53 to 192.168.98.111/53

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f663ef5ef70, priority=13, domain=permit, deny=true
hits=52429152, user_data=0x7f6634714440, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Vendor
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

show ip

 

System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 206.121.110.50 255.255.255.248 CONFIG
GigabitEthernet0/3 guest 192.168.201.1 255.255.255.0 CONFIG
GigabitEthernet0/4 backup 10.11.12.1 255.255.255.252 CONFIG
GigabitEthernet0/5 failover-link 1.1.1.1 255.255.255.0 unset
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
Redundant1.208 Vendor 192.168.208.1 255.255.252.0 manual
Redundant1.254 inside 192.168.99.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 206.121.110.50 255.255.255.248 CONFIG
GigabitEthernet0/3 guest 192.168.201.1 255.255.255.0 CONFIG
GigabitEthernet0/4 backup 10.11.12.1 255.255.255.252 CONFIG
GigabitEthernet0/5 failover-link 1.1.1.2 255.255.255.0 unset
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
Redundant1.208 Vendor 192.168.208.1 255.255.252.0 manual
Redundant1.254 inside 192.168.99.1 255.255.255.0 CONFIG

 

show route  (Omitted gateway of last resort/public IP address gateway)

 

C 1.1.1.0 255.255.255.0 is directly connected, failover-link
L 1.1.1.2 255.255.255.255 is directly connected, failover-link
S 10.0.0.0 255.0.0.0 [1/0] via 192.168.99.254, inside
C 10.11.12.0 255.255.255.252 is directly connected, backup
L 10.11.12.1 255.255.255.255 is directly connected, backup
S 10.81.1.0 255.255.255.0 [200/0] via 192.69.81.81, outside
S 172.16.0.0 255.240.0.0 [1/0] via 192.168.99.254, inside
S 172.16.16.0 255.255.254.0 [1/0] via 192.168.99.254, outside
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.99.254, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.99.254, inside
S 192.168.66.0 255.255.255.0 [1/0] via 192.168.99.254, inside
S 192.168.88.0 255.255.252.0 [1/0] via 192.168.99.254, inside
S 192.168.96.0 255.255.252.0 [1/0] via 192.168.99.254, inside
V 192.168.96.97 255.255.255.255 connected by VPN (advertised), outside
V 192.168.96.104 255.255.255.255 connected by VPN (advertised), outside

C 192.168.99.0 255.255.255.0 is directly connected, inside
L 192.168.99.1 255.255.255.255 is directly connected, inside
S 192.168.113.0 255.255.255.0 [200/0] via 192.69.81.81, outside
S 192.168.180.0 255.255.255.0 [1/0] via 192.168.99.254, inside
C 192.168.201.0 255.255.255.0 is directly connected, guest
L 192.168.201.1 255.255.255.255 is directly connected, guest
C 192.168.208.0 255.255.252.0 is directly connected, Vendor
L 192.168.208.1 255.255.255.255 is directly connected, Vendor

 

Show nat

 

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.250.0_24 NETWORK_OBJ_10.1.250.0_24 no-proxy-arp route-lookup
translate_hits = 81, untranslate_hits = 82
2 (inside) to (outside) source static any any destination static REMOTE-VPN-USERS_POOL-192.168.96.0 REMOTE-VPN-USERS_POOL-192.168.96.0 no-proxy-arp route-lookup
translate_hits = 6082410, untranslate_hits = 6274400
3 (inside) to (outside) source static TF-VoIP TF-VoIP destination static ANetwork ANetwork no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static TF-VoIP TF-VoIP destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
translate_hits = 1101357, untranslate_hits = 1306099
5 (inside) to (outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Main Main no-proxy-arp route-lookup
translate_hits = 2547219, untranslate_hits = 2554318
6 (Vendor) to (inside) source static any any unidirectional
translate_hits = 1129, untranslate_hits = 0
7 (Vendor) to (outside) source static any any destination static VENDOR-VPN-USERS_POOL-192.168.211.224 VENDOR-VPN-USERS_POOL-192.168.211.224
translate_hits = 3827, untranslate_hits = 3827
8 (Vendor) to (inside) source static any any destination static VENDOR-VPN-USERS_POOL-192.168.211.224 VENDOR-VPN-USERS_POOL-192.168.211.224 inactive
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static AAnalog-INT AAnalog-EXT
translate_hits = 460136, untranslate_hits = 3000679
2 (inside) to (outside) source static OBJ-FTP 12.185.235.3
translate_hits = 756921, untranslate_hits = 10388311
3 (inside) to (outside) source static OBJ-EXCHANGE 12.185.235.2
translate_hits = 618288, untranslate_hits = 27239552
4 (inside) to (outside) source static auth.domain.com 12.185.235.5
translate_hits = 502320, untranslate_hits = 4177732

Manual NAT Policies (Section 3)
1 (guest) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (Vendor) to (outside) source dynamic any interface description Allow vendors out to the Internet
translate_hits = 609511, untranslate_hits = 545
3 (inside) to (outside) source dynamic any interface
translate_hits = 831589775, untranslate_hits = 44970007
4 (inside) to (backup) source dynamic any interface
translate_hits = 35, untranslate_hits = 22267

Sorry for my late answer.
I don't see any interface not a route too reach out to your dns server 192.168.98.111.

Is this dns internal or the traffic has to go over the outside interface to be reachable?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: