cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2312
Views
0
Helpful
3
Replies

Sysopt connection permit not working with packet tracer

Alfredcfc
Level 1
Level 1

Hello All,

 

We have enabled sysopt permit vpn to bypass the external ACL for cisco anyconnect vpn but there is weird thing happened when the packet-tracer was always checking the external acl and never the vpn-filter in the group policy.

 

Why i think this is weird because i can see in the "sh conn" logs for vpn users having successfully connected to the internal resources.

 

 

1 Accepted Solution

Accepted Solutions

What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called).  The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.

And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

Packet-tracer is used to test through the box traffic so the outside ACL will always be checked when using packet-tracer.  VPN is to the box and packet tracer cannot be used to test a VPN connection on the ingress interface, in this case the outside interface.

--
Please remember to select a correct answer and rate helpful posts

so you are saying packet-tracer will always test the ACL on the interface only regardless of whether sys-opt is enabled or not for VPN connection simulations.

What I am saying is that you cannot use packet-tracer to test VPN connections on the outside interface (or whatever the ingress interface is called).  The only time a packet-tracer will work for VPN if the source is the inside interface and IP with a destination of an IP at the remote end of the VPN tunnel.

And, yes, packet-tracer will always evaluate the interface ACL as it is part of the order of operations for when a packet enters and leaves an interface.

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card