Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
6
Replies

Anyconnect on ASA cannot reach Servers on Lan

pcromwell
Level 3
Level 3

‎04-30-2014 07:31 AM - edited ‎03-11-2019 09:08 PM

I have an ASA 5510  I can successfully create a  anyconnect ssl client VPN tunnel and can succesfully ping a server on the Voice vlan. However I need to make connections to the voice servers, but they just timeout. On the ASA logging, is says "connection denied as there is no syn in the packet"

from looking around the web People are suggesting this error means an asymmetric route. I don't believe I have this. My setup is

 

VPN -> ASA -> Router (192.168.8.0,network doing all the routing) -> Vlans 5 and 6 created on switches.

I have attached my running config, they are not the actual ip addresses but representations.

I am hoping it is something obvious that I have overlooked.

ASA version is 9.1

 

 

Labels:
Preview file
14 KB
0 Helpful
6 Replies 6

jumora
Level 7
Level 7

‎04-30-2014 02:19 PM

Can you do me a favor and get me if possible logs from the ASA when you try to establish communication. On ASDM need to enable logging at debugging level and then go to monitoring > logging > Real time log viewer and filter out the anyconnect address.

You can also setup capture through capture wizard, just select the local interface and specify anyconnect client address and destination IP.

Value our effort and rate the assistance!
0 Helpful

jumora
Level 7
Level 7
In response to jumora

‎05-14-2014 02:24 PM

Please mark your ticket as answered so that it does not show as active.

Value our effort and rate the assistance!
0 Helpful

kevin_giusti
Level 1
Level 1

‎04-30-2014 03:09 PM

Upon taking a quick look it looks like you are missing your twice NAT entries.

 

ex.

object network 192.168.3.0-24

subnet 192.168.3.0 255.255.255.0

 

object network 2.2.2.0-24

subnet 2.2.2.0 255.255.255.0

 

nat (voice,outside) source static 192.168.3.0-24 192.168.3.0-24 destination static 2.2.2.0-24  2.2.2.0-24 no-proxy-arp route-lookup

0 Helpful

pcromwell
Level 3
Level 3
In response to kevin_giusti

‎04-30-2014 10:35 PM

I had neglected to mention, I am not using Nat, The ASA is for VPN's only

0 Helpful

kevin_giusti
Level 1
Level 1
In response to pcromwell

‎05-02-2014 06:32 AM

Ok, am I understanding this correctly that when you connect you can ping the voice servers no problem however for example you cannot create a http or some other service connection to them?

0 Helpful

pcromwell
Level 3
Level 3
In response to kevin_giusti

‎05-02-2014 06:58 AM

Hi Kevin,

I have managed to sort it out. it was asymmetric routing, that was the issue. after doing TCP inspect bypass, it has all worked fine

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card