Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
0
Replies

ASA Profile Dropping Packets

pugs17211721
Level 1
Level 1

‎11-09-2016 07:46 AM - edited ‎10-02-2017 09:25 AM

Ok, I have a interesting situation going on here. We have multiple profiles established on our ASA for remote user vpn connectivity. Lets focus on 2 of them now. We have one (conveniently called anyconnect) that is for the general population of our users to use. This servers as normal everyday day to day connectivity for the users. We have another profile Eng-VPN that is for only select users, as it has access to a business critical applications only, and blocks access to other "normal" connections. The anyconnect profile does not have access to the business critical application.

 

So here is the specifics: When I connect to the Eng-VPN and run pings to the business critical applications (10.55.40.10, 10.55.40.11 and 10.55.40.100 in this case) they all ping/respond in the same pattern at the same time. They will generally (again all 3 at the same time) ping for 6 consecutive pings, drop for 4-5 pings. All 3 at the exact same time. This pattern is pretty consistent, but in the course of my testing/research sometimes it does ping for 30 min + consecutively. One thing to note is that 10.55.40.10 and 10.55.40.11 are connected via VM's to our core switch (next hop off of the ASA) and the 10.55.40.100 is a physical on a different switch (one further step from the core switch).

 

If I modify the rules for the Anyconnect profile to allow this connectivity it doesnt drop a ping at all, all pings are good and in working order. 

 

 

 

Has anyone ever experienced this or something like this before?

 

 

Anyconnect Profile

 

group-policy companyvpn internal
group-policy companyvpn attributes
wins-server none
dns-server value 10.55.35.66 10.55.35.62
vpn-idle-timeout none
vpn-session-timeout 1440
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
default-domain value company.com
split-dns value company.com
msie-proxy method no-modify
address-pools value vpnpool
webvpn
anyconnect ssl keepalive 30

 

ENG-VPN Proflie


group-policy APPLICATION-VPN-GP attributes
wins-server none
dns-server value 10.55.35.66 10.55.35.62
vpn-idle-timeout none
vpn-session-timeout 1440
vpn-filter value APPLICATION-Loaction-VPN-Filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value company.com
split-tunnel-all-dns enable
address-pools value application-vpn-pool

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents