01-13-2021 06:19 AM
I want to use anyconnect vpn to a server that using BGP to connect.
I found a problem that BGP can not transfer route of the vpn pool so that packet can send out but not send back...
Is that firepower don’t have vpn route so cause this problem?
Solved! Go to Solution.
01-13-2021 08:29 AM
I agree with @balaji.bandi that we do not have enough understanding of this environment to be able to understand the issue or to give good advice. It does seem that part of the issue is that BGP is not advertising the IP subnet of the AnyConnect address pool. And there are some things that we can say about that part of the problem.
1) For BGP to advertise a subnet there must be an entry in the IP routing table of the device running BGP for the subnet (and with matching subnet mask). Check the routing table and see if there is an entry that matches the address pool.
2) If there is an entry in the routing table then check the BGP configuration and verify that the appropriate commands are in BGP to advertise this subnet. (might be a network command, might be a redistribute command, etc)
3) If there is a command to advertise this subnet then check the BGP configuration for some policy filtering the advertised routes for something that would block this prefix from being advertised.
I suspect that BGP is not the only part of this issue. But it is a good place to start. Once you have sorted out the BGP issues please provide more information about the environment and about what issues you are experiencing.
01-13-2021 08:13 AM
we do not have no idea, what is your setup, what IP address, what is working, what BGP working,..like so many questions i can ask.
So pelase provide :
1. how is your network.
2. what device you working on
3. do you have high level diagram show what is the issue.
4. what IP address working or not working ?
5. what BGP, iBGP or eBGP ?
6. what is the routing enabled where ?
01-13-2021 08:29 AM
I agree with @balaji.bandi that we do not have enough understanding of this environment to be able to understand the issue or to give good advice. It does seem that part of the issue is that BGP is not advertising the IP subnet of the AnyConnect address pool. And there are some things that we can say about that part of the problem.
1) For BGP to advertise a subnet there must be an entry in the IP routing table of the device running BGP for the subnet (and with matching subnet mask). Check the routing table and see if there is an entry that matches the address pool.
2) If there is an entry in the routing table then check the BGP configuration and verify that the appropriate commands are in BGP to advertise this subnet. (might be a network command, might be a redistribute command, etc)
3) If there is a command to advertise this subnet then check the BGP configuration for some policy filtering the advertised routes for something that would block this prefix from being advertised.
I suspect that BGP is not the only part of this issue. But it is a good place to start. Once you have sorted out the BGP issues please provide more information about the environment and about what issues you are experiencing.
01-19-2021 07:02 AM
I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide