cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1538
Views
0
Helpful
2
Replies

AnyConnect clients (no Split Tunnel) cannot connect IP nodes in the Internet

rherud
Level 1
Level 1

Dear Cisco community,


I have a problem with a ASA5510 (OS: 9.1(6)10; ASDM: 7.6(2)150) and AnyConnect 4.X clients and I really need yout help and ideas!

The AnyConnect clients (no Split Tunnel) can connect and reach hosts directly on the inside interface but they cannot reach IP nodes in the Internet. All traffic from the users must go throuth the tunnel and Spit Tunnel is not allowed.

I determined that AnyConnect client cannot ping its default gateway indicated at ipconfig command when connected. The ASA cannot ping this default gateway (first IP address in the pool) too.


I have aleredy did the following:

1. Checked the connection profile (DefaultWEBVPNGroup) for the AnyConnect clients in the ASDM - no reason for the issue found.

2. Checked the group policy (GP_VPN_PA_User) for the AnyConnect clients in the ASDM - no reason for the issue found.

3. Checked the relevant system settings:

fw-pa/act(config)# sh run same-security-traffic
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface <---

fw-pa/act(config)# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn <---
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
sysopt noproxyarp inside
no sysopt noproxyarp gast-wlan
no sysopt noproxyarp dmz1

The VPN-Filter (vpnfilter-gp_VPN_PA_User) in the group policy does not contain a deny statement that prevent the Internet access.

I have pasted out the relevant configuration lines and hope not to forget something:

ip local pool vpn-bh-ra-pool 192.168.253.1-192.168.253.254
...
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpn-bh-ra-pool
 authentication-server-group LDAP_Servers
 default-group-policy GP_Deny_ALL
...
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.2.0 255.255.254.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.8.0 255.255.255.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.18.0 255.255.254.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.20.0 255.255.254.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.22.0 255.255.255.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.96.0 255.255.254.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any 172.16.102.0 255.255.255.0 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any host 172.16.4.38 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any host 172.16.32.38 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any object H-HAG-CTX1 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any object H-HAG-CTX2 log disable 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any object-group grp-adito 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any object h-172.17.0.14 
access-list vpnfilter-gp_VPN_PA_User extended permit ip any object AditoService
...
access-list vpnfilter-DenyAll extended permit ip any object AditoService inactive 
access-list vpnfilter-DenyAll extended deny ip any any ,
...
group-policy GP_VPN_PA_User internal
group-policy GP_VPN_PA_User attributes
 wins-server value 172.16.2.32 172.16.2.33
 dns-server value 172.16.2.32 172.16.2.33
 vpn-filter value vpnfilter-gp_VPN_PA_User
 vpn-tunnel-protocol ssl-client ssl-clientless
 msie-proxy pac-url value http://bh-enterprise.company.org/wpad.dat
 webvpn
  anyconnect modules value vpngina
  anyconnect profiles value GP_VPN_AC_SBL type user
...
group-policy GP_Deny_ALL internal
group-policy GP_Deny_ALL attributes
 wins-server value 172.16.2.32 172.16.2.33
 dns-server value 172.16.2.32 172.16.2.33
 vpn-simultaneous-logins 3
 vpn-filter value vpnfilter-DenyAll
 vpn-tunnel-protocol ssl-client ssl-clientless
 default-domain value company.org
...
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpn-bh-ra-pool
 authentication-server-group LDAP_Servers
 default-group-policy GP_Deny_ALL 

My questions:

1. What can case such behaviour of the AnyConnect clients and where would you look to find the reason for this issue?

2. Do you have any sample configuration for AnyConnect (no Split Tunnel) with Internet access?


Every hint is very welcome and will be followed.


Thanks a lot!

 


Greatings!

1 Accepted Solution

Accepted Solutions

Hi,
What NAT do you have configured for the VPN Pool network? If possible provide the output of "show nat"
If you temporarily remove the VPNFilter from the session do you get connectivity?

Can you run a packet-tracer from the CLI and upload the output. e.g:- "packet-tracer input inside tcp 192.168.253.5 1024 10.4.1.1 80"

HTH

View solution in original post

2 Replies 2

Hi,
What NAT do you have configured for the VPN Pool network? If possible provide the output of "show nat"
If you temporarily remove the VPNFilter from the session do you get connectivity?

Can you run a packet-tracer from the CLI and upload the output. e.g:- "packet-tracer input inside tcp 192.168.253.5 1024 10.4.1.1 80"

HTH

Hi RJI,

 

thanks for the hints!

I found the reason in the NAT because the existing 'nat (outside,outside)' command was insufficient. The Packet tracer pointed to an ACL and sent me to the wrong trace :-(

 

Thanks a lot!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: