Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
4
Replies

SPAN on switch kills ASA AnyConnect VPN access

William Becker
Level 1
Level 1

‎01-30-2015 05:30 AM - edited ‎03-11-2019 10:25 PM

I wanted to see if someone has saw this before. We are setting up a SPAN session on a 3750X stack(2 switches) to monitor the inside interface of a ASA5510. As soon as I set the following on the switch the AnyConnect kills all sessions and you get an error that "AnyConnect is not configured on the server"(or close to that) when you try to reconnect. remove the monitor and reboot returns AnyConnect. This is setup with 2 ASA5510 in failover. Here is how I setup the Switch:

monitor session 1 source interface gig2/0/16 (ASA Inside interface)

monitor session 1 destination interface gig1/0/3 (monitoring device) (I did not specify the encapsulation)

 

Any ideas or maybe you've saw this before? Any help would be appreciated.

Labels:
0 Helpful
4 Replies 4

joe19366
Level 1
Level 1

‎01-30-2015 10:28 PM

i suspect one of these ports is an rspan vlan so your perhaps triggering some rule about rspan not learning mac addresses - is that the case?

 

any other monitor sessions?

 

code versions?

 

anyconnect should connect even if the INSIDE port is disabled ;)

 

so therefore, i think something is happening to your OUTSIDE port.

 

thanks

0 Helpful

William Becker
Level 1
Level 1
In response to joe19366

‎02-02-2015 08:05 AM

This is the only session for that inside interface, or any other interface for that matter. The monitoring platform is a Palo Alto 5050, this is the first I've used it, we are testing it in our environment. I am very confused why the Anyconnect gets dropped. I am checking to see if there are any issues within the release running on the ASA, I will update if I find anything. All else fails I will open a TAC case, have them look into it and I'll post that as well. 

0 Helpful

joe19366
Level 1
Level 1
In response to William Becker

‎02-02-2015 08:08 AM

a PAN 5050 firewall?

 

post the topology first link from Internet, first cabling, vlans, etc

 

we'll figure it out

0 Helpful

William Becker
Level 1
Level 1
In response to joe19366

‎02-18-2015 10:18 AM

OK figured out what was causing the issue. The previous admin setup the switches and mislabeled the switches. Once I checked the through CLI I discovered that I was seting up the monitoring on the wrong ports. 

Lesson learned,  don't trust someone elses work..

 

Thank you for the replies.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card