There are several things that could produce symptoms like you describe. Two of the most common are an issue frequently referred to as hairpinning or an issue with how the site to site vpn was set up. Hairpinning is when a data packet comes in one interface of the ASA and needs to be forwarded back out the same interface. By default the ASA does not allow this and if you want this to work you must specifically enable same security level on the ASA. The other possible issue is that in setting up the site to site vpn there is usually an access list that identifies the traffic that can be sent over the vpn. It is possible that the pool of addresses used for AnyConnect is not included in that access list.

As Georg suggests the best thing would be for you to post the config of the ASA.

HTH

Rick

Thank you all for your kind reply

the remote user subnet is 172.16.30.10-200

Hello,

which tunnel group belongs to AWS ? What is the AWS endpoint ? You are using non descriptive names, so it is very hard to figure out what belongs to what. Can you highlight the access lists, NAT exemptions (if applicable), group policy and tunnel group that belong to AWS ?

Hello,

looking at your picture again, it looks like you have the tunnel to AWS configured on your Forcepoint, so that is most likely where the problem is. Can you remote VPN users ping the Forcepoint ? What routing do you have configured between the Forcepoint and the ASA ?

I agree with Georg that we need better identification of where we need to focus. But there are a couple of things I notice that may point us in the right direction. I see that the crypto map that is applied to the outside interface is outside2_map. And this crypto map does not have any site to site vpn entries. So I believe that Georg is right about the vpn not being configured on the ASA. So if we believe that it is an issue with how the vpn is configured then we need to see the config where it is defined.

Also I notice that there is not any configuration for same-security-traffic. I am pretty sure that you need this for AnyConnect users to be able to access the site to site vpn. Here is a link to documentation about this command

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s1.html

HTH

Rick

I'm extremely sorry for you guys for the late response

your help is greatly appreciated

i tried to make it clear as much as possible for you .. kindly check the photo below

I'm extremely sorry for you guys for the late response

your help is greatly appreciated

i tried to make it clear as much as possible for you .. kindly check the photo below

I'm extremely sorry for you guys for the late response

your help is greatly appreciated

i tried to make it clear as much as possible for you .. kindly check the photo below

I'm extremely sorry for you guys for the late response

your help is greatly appreciated

i tried to make it clear as much as possible for you .. kindly check the photo below

Multiple copies of the same picture, as far as I can tell, are not particularly helpful. I have made a suggestion about configuring same security level on the ASA. Have you done anything about that?

Georg and I have both made the point that the vpn appears to be configured not on the ASA. If we believe that it may be an issue with the vpn then we need some information from the device where the vpn is configured.

HTH

Rick

My suggestion is to first configure same security traffic and see if the behavior changes. If there is still a problem then you need to supply information about how the vpn is configured on forcepoint.

HTH

Rick

Hello Rick and community,

I am trying to set up anyconnect VPN wizard from the GUI but it asks me to upload client image.

Where can I download the image can I have the link please or is there anyway to avoid that?

Thank you.

Regards,

Star