cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3794
Views
10
Helpful
21
Replies

RV340 VPN only allowing access to 10 addresses

zardoz001b
Level 1
Level 1

I have two RV340 routers setup at various locations, and are working properly with this exception.  When I initiate a client-to-site vpn, I can only access approximately 10 ip addresses on the internal network.  I haven't found anywhere in the configurations of the router where the remote network is defined or anything, which would be my first thought.  Any insights?

21 Replies 21

To answer your questions..

a.  I can ping .252 which is the gateway address.  There is not a dedicated server per se on site as they use their pc's purely to connect to web sites.  All of the hosts have the .252 setup as the default gateway otherwise they would not be able to access the internet.  And .252 is the DNS server for the network.

 

b.  Most every accessible device is a printer interestingly enough.  I cannot even connect to the managed switches on site.  All of the devices on the lan have the .252 default gateway.

 

c.  All of the hosts are configured to .252 for the gateway, which is the lan address of the RV

nagrajk1969
Spotlight
Spotlight

Hi Zardoz,

 

Addditionally, i see that you had attached the RV340 config file of another client of yours...so looking at the config applied on the RV340 router at this client, the deployment is like below:

 

{Internal-network: 10.223.219.0/24}------10.223.219.254/24(vlan1-ipaddr)[rv340router2]wan1----[Internet]----AnyConnect-Clients]

 

1. Now if you look at the xml/pdf config file, you see a section for the ipaddress configured on the vlan1(lan-network) interface of RV340

 

========================================

<ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip">
<enabled>true</enabled>
<forwarding>false</forwarding>
<address>
<ip>10.223.219.254</ip>
<prefix-length>24</prefix-length>
</address>
</ipv4>

================================================

 

2. In the same xml/pdf document, from the sslvpn server config section, we can see the below settings

 

a) the ip-pool configured for he any-connect clients that will connect to this server 

==================================

<sslvpn xmlns="http://cisco.com/ns/ciscosb/vpn-ssl">
<enable>true</enable>
<interface>WAN1</interface>
<gateway-port>8443</gateway-port>
<certificate>Default</certificate>
<address-pool>10.223.221.0</address-pool>
<netmask>255.255.255.0</netmask>

...

..........

======================================

- so this means that each of the AnyConnect SSL-VPN client connecting to this server will be assigned a ipaddress such as "10.223.221.x"....lets say for example 10.223.221.2 for 1 of the anyconnect-client that has successfully established the connection/tunnel

 

b) Next in the ssl-vpn server config, the below split-tunnel network has been added/configured...this is the internal-lan-subnet of this RV340...which is correct config

 

=======================================

<group-policies>
<group-policy>
<policy-name>SSLVPNDefaultPolicy</policy-name>
<enable>false</enable>
<primary-dns-server>10.223.219.254</primary-dns-server>
<secondary-dns-server>8.8.8.8</secondary-dns-server>
<disabled/>
<split-tunnelling>
<enable>true</enable>
<include-traffic/>
<split-network>
<ip>10.223.219.0</ip>
<netmask>255.255.255.0</netmask>
</split-network>
</split-tunnelling>
</group-policy>
</group-policies>
</sslvpn>

=============================================

 

3. So now here too, you have to find out and answer the below question yourselves

 

- Are ALL the internal-lan-network hosts/servers/etc configured with the default-gw ipaddress of 10.223.219.254 (the vlan1 lan-interface ipaddress of RV340)????

 

- Are the 10 hosts that the AnyConnnect clients can communicate to been configured with the default-gw ipaddr of 10.223.219.254???

 

I have attached the relevant portion from your xml/pdf config file for your further study/analysis

 

-regards

 

 

 

 

Identical configuration other than the assignable addresses to the other customer.  All hosts are using the .254 address in this case.  And again, the addresses visible seem to be predominantly printers.

 

 

nagrajk1969
Spotlight
Spotlight

Hi 

 

1. If what you say is correct then , If i look at the config on the RV340, there is NO WAY it will prevent in any which way to route packets from the anyconnect-clieni ts to any of the internal-lan hosts 

- i also checked in my own setup the same configs with same subnets

- also i see that there are 2 firewall acl rules (which are frankly speaking definitely NOT needed, at all). I even added these 2 rules as is in my setup

- and i could very successfully connect the sslvpn tunnel and also access ALL the lan-hosts (that have def-gw configiured to the RV340 ipaddress)

 

2. I think if you can, please tell me how the internal-lan side is connected to the RV340

a) as you mentioned, there are managed switches...layer-3 swicthes?

b) are the lan-hosts in different vlans or the same vlan-subnet as the vlan1 of RV340

 

3. I think something is wrong...something else is missing witg regards to the network-deployment which you have not yet mentioned

 

As i said, the RV340 config is as simple and basic as it can be...and there is NO specfic config that is present that would prevent the routing of traffic from the anyconnect clients to/from the lan-hosts....

 

I have gone thru the RV340 config file 3-4 times now checking the various sections...even the default inter-vlan routing is also enabled on vlan1 interface of RV340...so i dont understand how the routing could not happen to other hosts in the lan-network, unless the "lan-hosts" are connected/configured in some specific way...

 

How many managed switches are there in the lan-network? and how are they connected to the RV340?

And is there any layer3 switching/routing configured on the lan-mananged switches...????

 

KIndly double check every config on the various network componets again...and capture the packets recieved from the anyconnect-connect clients at various points of the internal-network...so that you can trace upto where the packets are going and why is it getting dropped or not replied at a certain host or network point.....

 

 

 

1.  That was my conclusion as well.  According to the configs, I should have complete access to the entire network.  All of the endpoints have the RV as the default gateway.

 

The ACL's were a test to see if there was perhaps a block on the traffic, which I found was not successful in giving me the access needed.

 

2.  The lan is connected to the RV in this particular customers case, through a Cisco SF350 48 Port switch, configured on VLAN 1, matching the RV.  This is a layer 3 switch, with all 48 ports configured on vlan 1, same subnet.  There are a couple other switches connected in different parts of the establishment, connected to the primary switch by a fiber uplink, also to layer 3 Cisco switches.

 

3.  I'm not sure what's missing.  The endpoints are all setup static if that makes any difference, but I wouldnt think it would.  I even went as far as trying ACL's in the switches to see if that would make any difference, to no avail. 

 

In this case, there are 3 L3 switches setup, all on the same VLAN.

 

Now you understand why this is slightly frustrating.  Everything in the config that I see points to the fact that I should have access to all of the endpoints on the network.  But I dont.  To let you all know as well, this isn't my first VPN that I've worked with.  I've done many over the years using Cisco catalysts, sonicwalls, etc...  so I do have an idea what I'm looking at.  That's why I'm reaching out to see if there's something I've missed somewhere either in the switch config, or in the router config.  From what I've gathered here, the router config is good.  What puzzles me the most however is that the endpoints that I'm able to get to are all shared printers.  What would be on said printers (Xerox copiers, etc) that would allow them to be visible, but not the L3 switches and such that are directly connected to the RV?  This is why I've been scratching my head for a while on this one.

nagrajk1969
Spotlight
Spotlight

Hi Zardoz

 

Based on your points, the attached schematic is my understanding of your network deployment at one of the 2 sites using RV340

 

Since you mentioned 3 layer3 switches all in same vlan1, then each of the switches must already be confifured with say the ipaddresses for example 10.223.219.1, 10.223.219.2, 10.223.219.3...and for these switches to respond to the access requests coming from the anyconnect-client (with ipaddr 10.223.221.x), then each of the switches have to be configured with the def-gw ipaddr of 10.223.219.254

 

Since you say Printers are accessible, then i think they are correctly confugured with the def-gw as 10.223.219.254 (the rv340 lan interface address)

 

Double check again...

 

hope this helps you solving your issue

 

Turns out you were right about the default gateway for the switches, etc.  They are accessible across the VPN now.  Thanks for the insight!!

Review Cisco Networking for a $25 gift card