Re: Cannot Ping Anything Using Anyconnect 4.5

WildMan365 · ‎03-13-2018

I just configured Anyconnect on an ASA 5505 & I can successfully connect but have no access to anything on the inside or internet access. I checked that I have an IP on my laptop in the range I configured & can see me logged on a vpn session also. I created a no nat rule but cannot seem to figure out what I'm missing or if I have misconfigured something. Here is my config & laptop stats below....

Mario365# sh run
: Saved
:
: Serial Number: JMX1422Z1SF
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)
!
hostname Mario365
enable password Z5tXLWscwJUZOz0q encrypted
passwd Z5tXLWscwJUZOz0q encrypted
names
ip local pool SSLCLIENTPOOL 10.0.2.1-10.0.2.100 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ddns update hostname eagleshouse.ddns.net
ip address dhcp setroute
!
ftp mode passive
object network insidenet
subnet 10.0.1.0 255.255.255.0
object network ANYCONNECT_REMOTENET
subnet 10.0.2.0 255.255.255.0
access-list acl-inside extended permit ip any any
access-list acl-inside extended permit icmp any any
access-list acl-inside extended permit icmp any any echo-reply
access-list acl-outside extended permit icmp any any
access-list acl-outside extended permit icmp any any echo-reply
access-list acl-outside extended deny ip any any log
access-list AllowAll extended permit ip any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup
!
object network insidenet
nat (inside,outside) dynamic interface
access-group acl-inside in interface inside
access-group acl-outside in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint LOCALTRUST
enrollment self
fqdn none
subject-name CN=10.0.1.1
keypair SSLVPNKEY
crl configure
crypto ca trustpool policy
crypto ca certificate chain LOCALTRUST
certificate ea5ba75a
3082019d 30820106 a0030201 020204ea 5ba75a30 0d06092a 864886f7 0d010105
05003013 3111300f 06035504 03130831 302e302e 312e3130 1e170d31 38303331
33313235 3832355a 170d3238 30333130 31323538 32355a30 13311130 0f060355
04031308 31302e30 2e312e31 30819f30 0d06092a 864886f7 0d010101 05000381
8d003081 89028181 00c10640 0e7d7a7b ffadac21 5ea73f93 4bfc4c60 fe431d66
444ba8bb 549175ba b2af8ee2 7cd85ea0 5109a98e e439c22f 96193c39 913adf53
88f07228 528d7ba1 d1b7caf5 0b94347d 8a76833b 9cd70c5a f95f3cd8 891a26a9
e836a4cf 0b657abd df75812b 4e074628 ae7900f0 a9c9a20b e66e108e 95f9ccd1
5b0c0fa4 d082380c fb020301 0001300d 06092a86 4886f70d 01010505 00038181
00729fd8 e9f69e25 68d891db 4c7b5c39 414f3e1f 598d647b d8f55074 aaae2c2c
30e44dee b93b4f7d 901deedf 09601a29 44151df6 1b798fe0 75cbbcef 0676fd26
73cded1c d43ff6b5 76e01abc 2223a28d 568cebc5 ef1b5e8d c177a0b3 5582931f
61ac5377 8cf99d73 8efef691 ed940a65 61839114 00a7058c 38f9abd7 0cb4ec08
6b
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client update dns server both
dhcpd update dns both
!
dhcpd address 10.0.1.100-10.0.1.200 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 604800 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point LOCALTRUST outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.04029-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy SSLCLIENT internal
group-policy SSLCLIENT attributes
dns-server value 8.8.8.8
vpn-filter value AllowAll
vpn-tunnel-protocol ssl-client
address-pools value SSLCLIENTPOOL
username mmarquez password fRAgGdr9iEIBx9ry encrypted privilege 15
username mmarquez attributes
service-type remote-access
tunnel-group SSLCLIENT-VPN type remote-access
tunnel-group SSLCLIENT-VPN general-attributes
default-group-policy SSLCLIENT
tunnel-group SSLCLIENT-VPN webvpn-attributes
group-alias MARIOVPN enable
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:04896595f6a90f7811688ab3132916bb
: end
Mario365#

________________________________________________________

Mario365# sh vpn-sessiondb svc

Session Type: AnyConnect

Username : mmarquez Index : 15
Assigned IP : 10.0.2.1 Public IP : 107.77.204.181
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES128 DTLS-Tunnel: (1)AES128
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA1 DTLS-Tunnel: (1)SHA1
Bytes Tx : 15198 Bytes Rx : 84949
Group Policy : SSLCLIENT Tunnel Group : SSLCLIENT-VPN
Login Time : 00:24:36 UTC Wed Mar 14 2018
Duration : 0h:02m:19s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 0a0001010000f0005aa86bc4
Security Grp : none

Mario365#

----------------------------------------------------------------

Ethernet adapter Ethernet 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::7ffb:6072:941d:3ce5%16(Preferred)
Link-local IPv6 Address . . . . . : fe80::88de:5d52:5dac:cffb%16(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.2.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ::
10.0.2.2
DHCPv6 IAID . . . . . . . . . . . : 268436890
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1F-65-C5-19-98-E7-F4-DF-75-77
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled

Francesco Molino · ‎03-13-2018

Hi

You didn't configure split tunneling that means you should by default tunnel all.

Can you verify and confirm it from your anyconnect client ?

Also can you share output of following commands:

- sh run all sysopt

- packet-tracer input outside icmp 10.0.2.1 8 0 10.0.1.2 detai

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WildMan365 · ‎03-14-2018

Here are the outputs you requested. The packet tracer output shows I can ping from the Anyconnect subnet to the inside subnet. I always try to ping the inside gateway 10.0.1.1 once I establish an Anyconnect connection & never get a reply. As far as I know the inside interface does reply to pings. I am having an inside user try it now. I also try to ping 8.8.8.8 once a connection is established & get no reply. I can ping 8.8.8.8 normally when I am on the inside with a 10.0.1.x address.

I also tried to connect from my work laptop using Anyconnect version 3.1 but I got denied after entering my local login attempt. I assume that version 3.1 is not compatible with the .pkg file I have loaded onto the ASA & that only versions in the 4.x range would work. Is that correct?

Mario365# sh run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
Mario365#

____________________________________________________________________________

Mario365# packet-tracer input outside icmp 10.0.2.1 8 0 10.0.1.2 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 10.0.1.0 255.255.255.0 inside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.0.1.2/0 to 10.0.1.2/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl-outside in interface outside
access-list acl-outside extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcd104c00, priority=13, domain=permit, deny=false
        hits=16076, user_data=0xca2b0e80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup
Additional Information:
Static translate 10.0.2.1/0 to 10.0.2.1/0
Forward Flow based lookup yields rule:
in id=0xccd0bbb8, priority=6, domain=nat, deny=false
        hits=0, user_data=0xc90b0758, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.0.2.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcbc8cfe0, priority=0, domain=nat-per-session, deny=true
        hits=523671, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc329f08, priority=0, domain=inspect-ip-options, deny=true
        hits=494425, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc3299a8, priority=66, domain=inspect-icmp-error, deny=false
        hits=111288, user_data=0xcc328fb8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static any any destination static ANYCONNECT_REMOTENET ANYCONNECT_REMOTENET no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xccc5ce08, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xccd1df88, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.0.2.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 514905, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Mario365#

WildMan365 · ‎03-14-2018

Users from the inside can ping the inside gateway 10.0.1.1 & 8.8.8.8

Francesco Molino · ‎03-14-2018

Pinging inside is another thing. Can you try first accessing LAN services to be sure that your anyconnect users can access your LAN, because that was your first issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WildMan365 · ‎03-14-2018

After making a successful connection when I try to ping any LAN resource or telnet to a port on a LAN resource I am not successful. Does the config look right? Does the version on Anyconnect work with my ASA/License? I am certainly not an expert at this but in my mind this may be a compatiblity issue with Anyconnect versions & ASA or the config is botched. Should I try Version 3.x? Here is the ASA info below...

Mario365# sh version

Cisco Adaptive Security Appliance Software Version 9.2(4)
Device Manager Version 5.2(4)

Compiled on Tue 14-Jul-15 22:19 by builders
System image file is "disk0:/asa924-k8.bin"
Config file at boot was "startup-config"

Mario365 up 1 day 21 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.06
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1

0: Int: Internal-Data0/0 : address is c84c.7527.bcfb, irq 11
1: Ext: Ethernet0/0 : address is c84c.7527.bcf3, irq 255
2: Ext: Ethernet0/1 : address is c84c.7527.bcf4, irq 255
3: Ext: Ethernet0/2 : address is c84c.7527.bcf5, irq 255
4: Ext: Ethernet0/3 : address is c84c.7527.bcf6, irq 255
5: Ext: Ethernet0/4 : address is c84c.7527.bcf7, irq 255
6: Ext: Ethernet0/5 : address is c84c.7527.bcf8, irq 255
7: Ext: Ethernet0/6 : address is c84c.7527.bcf9, irq 255
8: Ext: Ethernet0/7 : address is c84c.7527.bcfa, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has a Base license.

Serial Number: JMX1422Z1SF
Running Permanent Activation Key: hid key dont know if it should be seen?
Configuration register is 0x1
Configuration last modified by mmarquez at 00:21:20.398 UTC Wed Mar 14 2018

Francesco Molino · ‎03-15-2018

Hi

Config looks like good and anyconnect version is ok as well.

You said it worked once and now not working anymore?
What network resource are you trying to access to? Is it a switch, a server?
Is the ip of this device in the same range as your inside interface?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WildMan365 · ‎03-15-2018

I am able to connect with the AnyConnect client version 4.5 but im not able to access anything inside or out. Im trying to access my switch & server via SSH & RDP but cannot get to or ping anything. What do you think is going on.

Francesco Molino · ‎03-15-2018

That's why I'm asking what are IP addresses of your server?

Can you run a tcpdump on the server to see if it receives packets from your anyconnect client

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WildMan365 · ‎03-15-2018

Sorry I was under the impression you saw the config I posted. There are only 2 interfaces on the ASA, an inside & an outside. The server & inside devices I am reffering to are utilizing inside addresses from the inside interface 10.0.1.0/24. These are the IP’s that I cant ping as well as anything outside on the Internet such as 8.8.8.8

I ran captures on my server & other inside devices, pinging them and telneting to open ports on these inside devices, while successfully connected with anyconnect. The captures show no attempts from my anyconnect IP address pool (10.0.2.0/24) while doing this.

Not to get off path but I also tried anyconnecting in from another PC which has anyconnect client version 3.1 & got mixed results, all bad I should say. When this happened the anyconnect client gave me an error saying the certificate on the secure gateway is not valid (something to that effect) & from the same PC/client another error saying I need to get on a web browser first & my provider is not online (something to that affect also). I was able to successfully anyconnect to other ASA’s from the same PC/client. Dont know if this helps. Not sure what else to do.

Francesco Molino · ‎03-16-2018

I saw your config. I'm asking if the server has an IP within the same subnet of your ASA inside interface? Also what's the default gateway of your server? Is it ASA?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

WildMan365 · ‎03-16-2018

Yes my server has an IP from my inside subnet. The gateway is also the ASA inside interface IP. I only try to access resources that use inside IP’s.

Francesco Molino · ‎03-17-2018

Send me your email address in PM, we will organize a troubleshooting session need week end of afternoon.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question