cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

724
Views
0
Helpful
3
Replies
Highlighted
Beginner

Sysopt connection permit not working with packet tracer

Hello All,

 

We have enabled sysopt permit vpn to bypass the external ACL for cisco anyconnect vpn but there is weird thing happened when the packet-tracer was always checking the external acl and never the vpn-filter in the group policy.

 

Why i think this is weird because i can see in the "sh conn" logs for vpn users having successfully connected to the internal resources.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called).  The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.

And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Packet-tracer is used to test through the box traffic so the outside ACL will always be checked when using packet-tracer.  VPN is to the box and packet tracer cannot be used to test a VPN connection on the ingress interface, in this case the outside interface.

--
Please remember to select a correct answer and rate helpful posts
Highlighted

so you are saying packet-tracer will always test the ACL on the interface only regardless of whether sys-opt is enabled or not for VPN connection simulations.
Highlighted

What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called).  The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.

And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Content for Community-Ad