Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
0
Helpful
3
Replies

Anyconnect Configuration for Vendor Access, DNS Packets dropped udp 38 Drop-reason: (no-adjacency) No valid adjacency

rbreshears@isgtech.com
Level 1
Level 1

‎05-28-2021 05:29 PM

I am helping a client create a Vendor VPN on a 5515 ASA.  They will be limited to a single subnet but need access to one internal IP address for internal DNS.  We have the ACL's in place but DNS will not work.  I did an asp-drop packet capture and am getting:

1: 18:38:54.679896 192.168.211.236.60493 > 192.168.98.111.53: udp 38 Drop-reason: (no-adjacency) No valid adjacency

2: 18:38:54.855866 192.168.211.236.58715 > 192.168.98.111.53: udp 38 Drop-reason: (no-adjacency) No valid adjacency

I have done some google searches and have not found anything helpful yet.

192.168.211.236 = Client VPN IP

192.168.98.111 = Internal DNS server

Let me know what parts of the configuration I need to provide.

0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎05-30-2021 08:04 PM

Hi

 

Let's assume your interface where VPN users are coming in is named outside.

Can you run the following command please:

- packet-tracer input outside udp 192.168.211.236 1234 192.168.98.111 53 decrypted

 

Also can you share output of following commands:

- sh ip

- sh route

- sh nat

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

rbreshears@isgtech.com
Level 1
Level 1
In response to Francesco Molino

‎05-30-2021 09:22 PM

Thank you for your response.  Here is the information you requested.

 

packet-tracer input outside udp 192.168.211.236 1234 192.168.98.111 53 detailed  (no option for decrypted)

 

Phase: 1

 

Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f66482b8fb0, priority=1, domain=permit, deny=false
hits=118647118856, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Vendor,outside) source static any any destination static VENDOR-VPN-USERS_POOL-192.168.211.224 VENDOR-VPN-USERS_POOL-192.168.211.224
Additional Information:
NAT divert to egress interface Vendor
Untranslate 192.168.98.111/53 to 192.168.98.111/53

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended deny ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f663ef5ef70, priority=13, domain=permit, deny=true
hits=52429152, user_data=0x7f6634714440, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Vendor
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

show ip

 

System IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 206.121.110.50 255.255.255.248 CONFIG
GigabitEthernet0/3 guest 192.168.201.1 255.255.255.0 CONFIG
GigabitEthernet0/4 backup 10.11.12.1 255.255.255.252 CONFIG
GigabitEthernet0/5 failover-link 1.1.1.1 255.255.255.0 unset
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
Redundant1.208 Vendor 192.168.208.1 255.255.252.0 manual
Redundant1.254 inside 192.168.99.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
GigabitEthernet0/0 outside 206.121.110.50 255.255.255.248 CONFIG
GigabitEthernet0/3 guest 192.168.201.1 255.255.255.0 CONFIG
GigabitEthernet0/4 backup 10.11.12.1 255.255.255.252 CONFIG
GigabitEthernet0/5 failover-link 1.1.1.2 255.255.255.0 unset
Management0/0 management 192.168.1.1 255.255.255.0 CONFIG
Redundant1.208 Vendor 192.168.208.1 255.255.252.0 manual
Redundant1.254 inside 192.168.99.1 255.255.255.0 CONFIG

 

show route  (Omitted gateway of last resort/public IP address gateway)

 

C 1.1.1.0 255.255.255.0 is directly connected, failover-link
L 1.1.1.2 255.255.255.255 is directly connected, failover-link
S 10.0.0.0 255.0.0.0 [1/0] via 192.168.99.254, inside
C 10.11.12.0 255.255.255.252 is directly connected, backup
L 10.11.12.1 255.255.255.255 is directly connected, backup
S 10.81.1.0 255.255.255.0 [200/0] via 192.69.81.81, outside
S 172.16.0.0 255.240.0.0 [1/0] via 192.168.99.254, inside
S 172.16.16.0 255.255.254.0 [1/0] via 192.168.99.254, outside
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.99.254, inside
S 192.168.2.0 255.255.255.0 [1/0] via 192.168.99.254, inside
S 192.168.66.0 255.255.255.0 [1/0] via 192.168.99.254, inside
S 192.168.88.0 255.255.252.0 [1/0] via 192.168.99.254, inside
S 192.168.96.0 255.255.252.0 [1/0] via 192.168.99.254, inside
V 192.168.96.97 255.255.255.255 connected by VPN (advertised), outside
V 192.168.96.104 255.255.255.255 connected by VPN (advertised), outside

C 192.168.99.0 255.255.255.0 is directly connected, inside
L 192.168.99.1 255.255.255.255 is directly connected, inside
S 192.168.113.0 255.255.255.0 [200/0] via 192.69.81.81, outside
S 192.168.180.0 255.255.255.0 [1/0] via 192.168.99.254, inside
C 192.168.201.0 255.255.255.0 is directly connected, guest
L 192.168.201.1 255.255.255.255 is directly connected, guest
C 192.168.208.0 255.255.252.0 is directly connected, Vendor
L 192.168.208.1 255.255.255.255 is directly connected, Vendor

 

Show nat

 

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static NETWORK_OBJ_10.1.250.0_24 NETWORK_OBJ_10.1.250.0_24 no-proxy-arp route-lookup
translate_hits = 81, untranslate_hits = 82
2 (inside) to (outside) source static any any destination static REMOTE-VPN-USERS_POOL-192.168.96.0 REMOTE-VPN-USERS_POOL-192.168.96.0 no-proxy-arp route-lookup
translate_hits = 6082410, untranslate_hits = 6274400
3 (inside) to (outside) source static TF-VoIP TF-VoIP destination static ANetwork ANetwork no-proxy-arp route-lookup inactive
translate_hits = 0, untranslate_hits = 0
4 (inside) to (outside) source static TF-VoIP TF-VoIP destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
translate_hits = 1101357, untranslate_hits = 1306099
5 (inside) to (outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static Main Main no-proxy-arp route-lookup
translate_hits = 2547219, untranslate_hits = 2554318
6 (Vendor) to (inside) source static any any unidirectional
translate_hits = 1129, untranslate_hits = 0
7 (Vendor) to (outside) source static any any destination static VENDOR-VPN-USERS_POOL-192.168.211.224 VENDOR-VPN-USERS_POOL-192.168.211.224
translate_hits = 3827, untranslate_hits = 3827
8 (Vendor) to (inside) source static any any destination static VENDOR-VPN-USERS_POOL-192.168.211.224 VENDOR-VPN-USERS_POOL-192.168.211.224 inactive
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static AAnalog-INT AAnalog-EXT
translate_hits = 460136, untranslate_hits = 3000679
2 (inside) to (outside) source static OBJ-FTP 12.185.235.3
translate_hits = 756921, untranslate_hits = 10388311
3 (inside) to (outside) source static OBJ-EXCHANGE 12.185.235.2
translate_hits = 618288, untranslate_hits = 27239552
4 (inside) to (outside) source static auth.domain.com 12.185.235.5
translate_hits = 502320, untranslate_hits = 4177732

Manual NAT Policies (Section 3)
1 (guest) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
2 (Vendor) to (outside) source dynamic any interface description Allow vendors out to the Internet
translate_hits = 609511, untranslate_hits = 545
3 (inside) to (outside) source dynamic any interface
translate_hits = 831589775, untranslate_hits = 44970007
4 (inside) to (backup) source dynamic any interface
translate_hits = 35, untranslate_hits = 22267

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to rbreshears@isgtech.com

‎06-13-2021 07:12 PM

Sorry for my late answer.
I don't see any interface not a route too reach out to your dns server 192.168.98.111.

Is this dns internal or the traffic has to go over the outside interface to be reachable?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card