Re: Cisco FTD 5506X -AnyConnect, FW not forwarding traffic

PNW Weer · ‎02-21-2019

Hi All

I am struggling over 3 days to get Cisco Anyconnect profile working over Cisco FTD 5506-X HA firewalls. I am able to establish the Anyconnect session but can't reach IP address or services inside the corporate network.

To rule out internal routing within the corporate network, I am just trying to reach default GW of FW inside interface. I can see traffic from the any connect client is allowed on events but firewall is not forwarding this traffic to the destination.

I only can reach inside/outside interfaces of of secondary FW, strange....

Last few days I have checked all the NAT/Access and routing, not see any issues.

Really appreciate your suggestions to resolve this issue.

Thanks

Rob Ingram · ‎02-21-2019

Hi,
Do you have a NO NAT rule for the RA Network to the LAN Network, so traffic between SRC and DST is not natted?
Is there routes on the ASA to the inside network for the LAN? Are there routes back from the inside LAN to the RA networks via the ASA?

Can you run a packet trace and upload the output here please?

PNW Weer · ‎02-21-2019

Hi RJI
I have done the NO NAT/ACCESS and Routing accordingly. I also verified many times.

Please note attached Trace file as requested.

10.2.254.142 is the GW to FW inside interface.

Thank you for your quick response.

Rahul Govindan · ‎02-22-2019

Looks correct from the trace. Do you have captures collected on the inside interface? Also, how does the routing look for the VPN pool on your gateway device?