cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

924
Views
0
Helpful
0
Replies
Highlighted

AnyConnect and IPSec Client with dynamic-map on ASA 5520

Hello,

we are investigating a problem with AnyConnect at our ASA 5520 with ASA 8.4(5) and ASDM 7.1(1)52. We have about 30 L2L VPN and about 300 users working with the VPN full client over IPSec.

Following dynamic crypto map and acl is configured for the vpn clients

crypto map INTERNET_map 65535 ipsec-isakmp dynamic INTERNET_dyn_map

crypto dynamic-map INTERNET_dyn_map 1 match address INTERNET_cryptomap_65535.1

crypto dynamic-map INTERNET_dyn_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-3DES-MD5 ESP-AES-256-SHA

crypto dynamic-map INTERNET_dyn_map 1 set ikev2 ipsec-proposal AES256 3DES

access-list INTERNET_cryptomap_65535.1 extended permit ip any any

This configuration for the full client worked for a few years. So far, so good.

Aditionaly we want to migrate to AnyConnect client, so webvpn is enabled on inside and INTERNET interface.

A connect via AnyConnect, or Webclient to the external port 443 is discarded by the ASA, btw also a connect to port tcp/10000 for ipsec over tcp is discarded.

Yesterday we discovered the following fact. After deleting the dynamic crypto map and creating it again with the ASDM it looks like this:

crypto map INTERNET_map 65535 ipsec-isakmp dynamic INTERNET_dyn_map

crypto dynamic-map INTERNET_dyn_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-3DES-MD5 ESP-AES-256-SHA

crypto dynamic-map INTERNET_dyn_map 1 set ikev2 ipsec-proposal AES256 3DES

Without the match address statement, the crypto map works with the VPN full client and the AnyConnect client, also a connect to port 10000 is possible.

After modifing a value in the tab 'traffic selection' for this crypto map with ASDM follwing lines are inserted in the config

crypto dynamic-map INTERNET_dyn_map 1 match address INTERNET_cryptomap_65535.1_1

access-list INTERNET_cryptomap_65535.1_1 extended permit ip any any

After this point AnyConnect doesn't work any more.

Modifiing the the tab 'traffic selection' again, e.g disable 'Enable Rule' under 'More Options' produces the following

crypto dynamic-map INTERNET_dyn_map 1 match address INTERNET_cryptomap_65535.1_1

access-list INTERNET_cryptomap_65535.1_1 extended permit ip any any inactive

Now AnyConnect is working again, but the VPN full client fails.

After deleting the line

crypto dynamic-map INTERNET_dyn_map 1 match address INTERNET_cryptomap_65535.1_2

with the CLI, AnyConnect and VPN full client are working again.

How can I prevent ASDM from inserting this line?

Perhaps is this a bug in ASDM?

Any other ideas or suggestions about this?

Thanks in advance.

Best Regards,

Robert