01-29-2013 01:41 PM
Hi,
I was running 8.4.4 on as ASA5510, everthing chugging away nicely. I have SSL anyconnect clients connnecting on this ASA and also a site-to-site (IPSec) VPN too.
After an upgrade to 9.1.(1) I noticed the following:
AnyConnect Clients can still connect and access INSIDE servers. (great!)
THe Site to Site VPN is fine and both sites have full connectivity. (great!)
HOWEVER, AnyConnect clients cannot connect to servers across the site-to-site vpn.
This is a pain to troubleshoot, as the First leg (SSL) and the scond (IPSex) are both obviously encrypeted.
I have no idea (other than to roll back) how this can be fixed.
Any help, greatly appreciated.
thanks
Matt
01-29-2013 09:45 PM
Matt,
we had similar problems in the past. Vide:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty32412
This particular one IS fixed in 9.1 however a few other interesting bugs (especially around NAT) are also fixed between 8.4.4 and 8.4.5 (and consequently 9.0/9.1 releases). e.g.
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq47028
Open up a TAC case, we'll help you figure it out.
M.
01-30-2013 08:40 AM
Thank you for the response Marcin, it looks like the first bug "ASA: Anyconnect u-turn to ipsec tunnel fails"
I fear this will not be fixed as we are running the latest O/S.
Do you know of any troubleshooting/dubug/show commands I can run to confirm this ?
thanks again
Matt
01-30-2013 08:58 AM
Matt,
CSCty32412 <--- I have my doubts, you are running a version that fixes this problem.
Hence my suspicion it's something else (NAT possibly)
"show asp drop" + "cap ASP type asp all" + "show nat" + "debug nat" are places to start.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide