Thanks for the reply. Routes are on the VPN connected device always show up correctly, even with your correction, I cannot get to internal networks. See below for routes

Let me know if you can see anything else, but my config is rather basic, so I'm not sure what's going wrong here.

current split tunnel config:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.38.19.1 10.38.19.189 25
10.0.0.0 255.0.0.0 192.168.200.2 192.168.200.1 2

With corrected split-tunnel config above:

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.38.19.1 10.38.19.189 25
10.0.0.0 255.0.0.0 192.168.200.2 192.168.200.1 2
=

Hi,

Lets do a small test.

Are you able to ping the inside interface of the ASA ?

Add this command on the ASA:

management-access inside

Now use debug icmp trace on the ASA and check if the pings are able to reach to the ASA from the Anyconnect client.

Use undebug all to stop the debugs.

If you see pings reaching the ASA then use asp captures on the ASA.

cap asp type asp-drop all

Use cap asp | in <Anyconnect client IP>

This would make sure if the ASA is not dropping the traffic.

Also share the output of show run all sysopt.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

management-access Inside was already in my config. 

I cannot ping the inside interface of the ASA from the anyconnect client. 

debug icmp trace shows no pings incoming.

sysopt command:

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Inside
no sysopt noproxyarp Outside

Hi,

What do asp captures say, can you take them ?

Also lets go for an interface capture as well.

If debug icmp trace does not show anything that means pings do not even make it to the ASA.

access-list test permit ip host <Anyconnect IP> host <Inside ip>

access-list test permit ip host <inside IP> host <Anyconnect ip>

cap capin access-list test interface inside

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thanks for the help, but sadly no difference in these tests.

I ran the following:

cap asp type asp-drop all

my anyconnect client is 192.168.200.1

I ran the following filter on the capture

sh capture asp | inc 192.168

It returns no packets. Without the filter, it returns a traffic hitting the inside interface from the inside and a couple other sources, but nothing from 192.168.

I also created the test ACLs above and ran the following:

access-list test permit ip host 192.168.200.1 host 10.113.0.204

access-list test permit ip host 10.113.0.204 host 192.168.200.1

cap capin access-list test interface inside

I began a ping from the anyconnect client to the Inside interface

the capture captures no traffic.

Hi,

That's weird.

That means client traffic is not even reaching the ASA.

Did you try using Anyconnect from any other PC/location ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

I was testing this through a public wifi network, I'll try it from home and couple other places tonight and let you know.

Thanks for all your help.

See reply above to Tim. I tried this from two other networks with the same result. 

Traffic is reaching the ASA as verified with the show vpn-s any command, but it's just not passing through it. 

Thanks again for your help, but I'm as confused as you are.

Hey,

Once connected to the VPN, can you go to the ASA and show me the output of "show vpn-s any" please? Are the Bytes TX/RX incrementing?

Do you have any other NAT statements that you didn't show in the config? If so, make sure the one you have there to exempt the VPN traffic is at the top of the list. 

Also, I assume the router that has the route to the VPN-pool network pointing to the ASA is the only way your inside clients can get to the ASA? Just want to confirm everything has a route back.

Regards,

Tim

See below for show command. The tx/rx did not increment in the couple minutes I ran this command. I tried to ping and RDP to internal locations between show commands. 

The full config is listed in my initial post. I purposely tried to make this as simple as possible, so I'm pretty confused at this point why it's not working.

This route is on the main router this ASA and all internal clients are using as a gateway:

ip route 192.168.200.0 255.255.255.0 10.113.0.204

show vpn-s any

Session Type: AnyConnect

Username : <username> Index : 28
Assigned IP : 192.168.200.1 Public IP : 98.193.26.3
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)RC4 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 11048 Bytes Rx : 6820
Group Policy : GroupPolicy_Local Tunnel Group : Local
Login Time : 00:20:01 UTC Wed May 25 2016
Duration : 0h:07m:46s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none

Hi,

Are you even able to ping the inside IP of the ASA ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

No, I cannot ping the inside interface of the asa from the connected VPN client.

Do you think this has anything to do with the anyconnect client version? I am using an older client because I'm out of license period on this ASA. I am running a 3.1 client. 

Hi,

That's the only thing I can think about.

It's an old version so if you could try using a newer client that would be great.

Regards,

Aditya

Please rate helpful posts and mark correct answers.