Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
5
Replies

AnyConnect users cannot use hub & spokes tunnels

MercatorIneo
Level 1
Level 1

‎02-01-2017 09:04 AM - edited ‎03-05-2019 07:57 AM

Hello,

We have a "hub and spokes" configuration made with 4 routers Cisco 800. 

Each spoke router use "crypto map staticmap" to connect to the hub router.

The "hub and spokes" config works perfectly. Each user at each branch can ping any pc in other branches. -> OK

The "hub router" is also a webvpn gateway. Mobile users use AnyConnect 4.4 to connect to the webvpn gateway and they can ping any PC in the branch hosting the "hub router". -> OK

These mobile users can NOT ping routers and computers in the spokes sites -> Not OK.

Previously, this traffic was working without problem. In the interval we have done these upgrades 

  • AnyConnect 3.1 -> 4.4
  • IOS 15.3 -> 15.6

We do not know if one of these upgrades is the reason of this change.

I put here relevant parts of the hub router config :

interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip access-group 121 out
ip nat inside
ip virtual-reassembly in
!

interface Virtual-Template1
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
!

ip local pool vpnpool 192.168.20.4 192.168.20.20

access-list 51 remark ----------------------------------------
access-list 51 remark Split-include WebVPN 
access-list 51 permit 192.168.4.0 0.0.0.255 = spoke
access-list 51 permit 192.168.20.0 0.0.0.255 = mobile user
access-list 51 permit 192.168.32.0 0.0.0.255 = spoke
access-list 51 permit 192.168.3.0 0.0.0.255 = spoke
access-list 51 permit 192.168.2.0 0.0.0.255 = spoke

webvpn context SSL
virtual-template 1
aaa authentication list VPN
gateway SSL1
!
ssl authenticate verify all
inservice
!
policy group default
functions svc-enabled
filter tunnel webvpn-acl
svc address-pool "vpnpool" netmask 255.255.255.0
svc keep-client-installed
svc rekey method new-tunnel
svc split include acl 51
svc dns-server primary 192.168.2.110
svc dns-server secondary 192.168.32.110
default-group-policy default
!
end

Thanks in advance for any help.

Best regards,

Guy

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-01-2017 05:51 PM

Is 192.168.20.0/24 included in the crypto domain going to each site?

Rather than old school static crypto maps between the sites, have you considered using VTI Tunnels or DMVPN.  These are often easier to integrate (that means there are less problems) with user to site VPN users.

0 Helpful

MercatorIneo
Level 1
Level 1
In response to Philip D'Ath

‎02-02-2017 12:31 PM

Thank you for you help.

Yes, in remote branches, 192.168.20.0/24 is not natted and correctly set in the ACL referenced in the static map.

I've observed this : if someone in a remote branch ping the IP of the mobile anyConnect user

- this first ping succeeds with 80%

- the following pings succeed with 100%

- the mobile anyConnect user can ping the branch -> OK

Before this ping, "show ip route" does not show any route to the mobile anyConnect user. After this ping, the route is shown.

Does this reveal a problem with the reverse route ?

ip routing is enabled on each routers and "reverse-route" is present in static/dynamic maps.

Thanks for continuing helping.

Kind regards,

Guy

0 Helpful

Georg Pauwen
VIP
VIP
In response to MercatorIneo

‎02-02-2017 01:41 PM

Hello,

according to the document I linked earlier, your split include access should look like this:

access-list 51 remark ----------------------------------------
access-list 51 remark Split-include WebVPN
access-list 51 permit 192.168.4.0 0.0.0.255 = spoke
access-list 51 permit 192.168.20.0 0.0.0.255 = mobile user
access-list 51 deny 0.0.0.0 0.0.0.0
access-list 51 permit 192.168.32.0 0.0.0.255 = spoke
access-list 51 permit 192.168.3.0 0.0.0.255 = spoke

Also:

Enable Local LAN Access in the AnyConnect profile (in the Preferences Part 1 menu of the profile editor. (You also have the option to make it user controllable.)

0 Helpful

MercatorIneo
Level 1
Level 1
In response to Georg Pauwen

‎02-03-2017 05:22 AM

Thank your for the help.

Unfortunately these 2 changes do not solve de problem.

Kind regards,

Guy

0 Helpful

Georg Pauwen
VIP
VIP

‎02-02-2017 12:14 AM

Hello,

with AnyConnect version 4.4, the split include tunnel behavior has changed:

New Split Include Tunnel Behavior (CSCum90946)

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/release/notes/b_Release_Notes_AnyConnect_4_4.html#id_37865

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card