hmmm, well if you are not using webssl, perhaps you have AnyConnect over IKEv2. Can you share the crypto config from your ASA?
cheers,
Seb.
... View more
Hi there,
AnyConnect will use UDP/443 and TCP/443 as a fallback. Check that both destination ports are allowed into the SRX zone that the ASA is positioned in.
cheers,
Seb.
... View more
I know with the ASA you can initiate an IPSec connection with one end of the connection having a dynamic IP address, but I do not believe it is possible with two dynamic endpoints.
Cheers,
Seb.
... View more
HI there,
When you use the archive download-sw command why don't you use the /image-only argument, this will remove all other files/ folders.
If you just want the .bin file at root, why not download the .bin image and position it manually with the copy command?
Cheers,
Seb.
... View more
Hi there,
My first thought without testing it would be you need to specify a source interface for your ping. The link-local FE80 address provides no information to the router (subnet prefix) to tell it which connected interface to source the ping from.
cheers,
Seb.
... View more
Yes, you will still have internet connectivity, but the AnyConnect client will adjust you routing table as @Dennis Mink points out, which will send any traffic not destined to the local subnet (except the encrypted tunnel traffic itself) via the tunnel.
Once your traffic arrives at the ASA you will need to have the correct routing and firewall policy in place to allow access to the internet.
cheers,
Seb.
... View more
Hi there,
It sounds like once the VPN is established all of your traffic non-local traffic is being sent to the ASA endpoint and hitting various polices.
If you want to maintain a local connection to the internet you will need to configure split-tuneling for the anyconnect VPN. This will allow you to specify which subnets you can reach via the VPN, everything else will leave via the local LAN gateway.
This is viewed as a security risk in most situations.
cheers,
Seb.
... View more
Hi there,
On your ISP routers, have you forward the following protocols/ ports to the RV340 inside (192.168.100x) address from the public interface:
protocol 50 (ESP)
UDP/500
UDP/4500
cheers,
Seb.
... View more
@Joseph W. Doherty
:) I had overlooked multicast.
Are you sure a about PC2 responding to an ARP request from PC1?
PC1 will know PC2 is in a different subnet so will only be ARP'ing for the local gateway. Agreed that PC2 will see the broadcast, but its network stack will discard it once it sees the ARP payload.
I had thought about adding the notion of ARP spoofing to this thread, ie PC2 sending an ARP reply for the PC1 ARP request for its local gateway. Is this ARP cache poisoning (done by both PCs) the basis of the unicast communication you mention?
... View more
Assuming at either end of the trunk link, both switchports are configured with:
!
switchport mode trunk
switchport trunk allowed vlan all
!
...the tagged frames will transit the link fine, however the two PCs will remain in separate VLANs so will be unable to communicate. You need a Layer3 interface to make this topology work.
If your switches are configured like:
! SW1
!
switchport mode trunk
switchport trunk vlan 10
!
!SW2
!
switchport mode trunk
switchport trunk vlan 20
!
...broadcast frames will transit the link however they will be silently dropped by the receiving switch as they are received on a switchport which has not been configured to receive that VLAN ID.
cheers,
Seb.
... View more
An access to access connection will strip out all VLAN information from the frames in transit. I've used this kludge several times on production networks when receiving a connection from a third party and I need to put it in a different VLAN with a different ID to fit the local allocation. Try it :)
... View more
Yes if it is leaving via a mode access port, then there will be no VLAN ID on the frame, therefore SW2 can receive it on its own access port and it will end up in VLAN20.
... View more
Sounds like it could be an STP issue.
Is your PC connected to the 2960? Is the 2960 the root bridge for the VLAN you are connected to?
On both the 2960 and SG 350 what is the output of:
sh spanning-tree vlan <your_vlan_id>
cheers,
Seb.
... View more
Adding to @Mark Malone, you can further secure your access-layer with DHCP Snooping and DAI which will prevent users from using IP addresses which have not be received from trusted DHCP servers.
cheers,
Seb.
... View more