Configured a new ANyconnnect VPN on Cisco ASA 5500. Internet would go down when connecting to this V...

KESHRIPN · ‎02-13-2019

Hello,

I have configured a new VPN. But the problem is that whenever I try to access this VPN, the Internet from the Computer would go down.

Thanks for the sincere reply.

Seb Rupik · ‎02-13-2019

Hi there,

It sounds like once the VPN is established all of your traffic non-local traffic is being sent to the ASA endpoint and hitting various polices.

If you want to maintain a local connection to the internet you will need to configure split-tuneling for the anyconnect VPN. This will allow you to specify which subnets you can reach via the VPN, everything else will leave via the local LAN gateway.

This is viewed as a security risk in most situations.

cheers,

Seb.

KESHRIPN · ‎02-13-2019

Thanks Seb,

Even if all the traffics are going to the ASA, I should have the Internet Connectivity by default.

I thought of configuring the split-tunnelling but abandoned the thought.

Anyway I will try to configure the split-tunnel and will see the output.

Regards,

Pankaj

Seb Rupik · ‎02-13-2019

Yes, you will still have internet connectivity, but the AnyConnect client will adjust you routing table as @Dennis Mink points out, which will send any traffic not destined to the local subnet (except the encrypted tunnel traffic itself) via the tunnel.

Once your traffic arrives at the ASA you will need to have the correct routing and firewall policy in place to allow access to the internet.

cheers,

Seb.

Dennis Mink · ‎02-13-2019

when on the VPN do a "print route" from a command prompt to see if you have a default route on the VPN

Please remember to rate useful posts, by clicking on the stars below.

KESHRIPN · ‎02-13-2019

Thanks Dennis,

I couldn't see any output while running (While on configured VPN) the command - "print route"-

C:\Users\Pankaj.Keshri>print route
Unable to initialize device PRN

C:\Users\Pankaj.Keshri>

However I do receive the below route while running (While on Configured VPN) the command - "route print" -

C:\Users\Pankaj.Keshri>route print
===========================================================================
Interface List
14...00 05 9a 3c 7a 00 ......Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
15...54 e1 ad 68 f8 69 ......Intel(R) Ethernet Connection (4) I219-LM
10...ac ed 5c 00 24 ef ......Intel(R) Dual Band Wireless-AC 8265
13...ae ed 5c 00 24 ef ......Microsoft Wi-Fi Direct Virtual Adapter
7...ac ed 5c 00 24 f0 ......Microsoft Wi-Fi Direct Virtual Adapter #3
12...00 ff 68 d4 a6 1d ......AnchorFree TAP-Windows Adapter V9
8...ac ed 5c 00 24 f3 ......Bluetooth Device (Personal Area Network)
18...0c 5b 8f 27 9a 64 ......Remote NDIS based Internet Sharing Device
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.100     75
          0.0.0.0          0.0.0.0     10.100.100.1    10.100.100.13      2
     10.100.100.0    255.255.255.0         On-link     10.100.100.13    257
    10.100.100.13 255.255.255.255         On-link     10.100.100.13    257
   10.100.100.255 255.255.255.255         On-link     10.100.100.13    257
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    331
127.255.255.255 255.255.255.255         On-link         127.0.0.1    331
      192.168.1.0    255.255.255.0         On-link     192.168.1.100    331
      192.168.1.0    255.255.255.0     10.100.100.1    10.100.100.13      2
      192.168.1.1 255.255.255.255         On-link     192.168.1.100     76
    192.168.1.100 255.255.255.255         On-link     192.168.1.100    331
    192.168.1.255 255.255.255.255         On-link     192.168.1.100    331
    204.11.110.17 255.255.255.255      192.168.1.1    192.168.1.100     76
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link     192.168.1.100    331
        224.0.0.0        240.0.0.0         On-link     10.100.100.13    257
255.255.255.255 255.255.255.255         On-link         127.0.0.1    331
255.255.255.255 255.255.255.255         On-link     192.168.1.100    331
255.255.255.255 255.255.255.255         On-link     10.100.100.13    257
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
18     91 ::/0                     fe80::a671:74ff:fe49:c2ca
14     56 ::/0                     On-link
1    331 ::1/128                  On-link
14    311 fe80::/64                On-link
18    331 fe80::249c:bcae:c06b:5d83/128
                                    On-link
14    311 fe80::32ab:7798:c1d0:2399/128
                                    On-link
14    311 fe80::e59b:fa83:3ecb:7d61/128
                                    On-link
1    331 ff00::/8                 On-link
18    331 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

C:\Users\Pankaj.Keshri>

Dennis Mink · ‎02-14-2019

looking at the machines routing table:

0.0.0.0 0.0.0.0 10.100.100.1 10.100.100.13 2 there is a default route, can you confirm, 10.100.100,x is the VPN interface;s IP address?

Please remember to rate useful posts, by clicking on the stars below.

Configured a new ANyconnnect VPN on Cisco ASA 5500. Internet would go down when connecting to this VPN.