Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1215
Views
33
Helpful
21
Replies

Should two anyconnect clients on the same ASA be able to talk with each other?

Chris Bull
Level 1
Level 1

‎04-01-2016 01:27 PM - edited ‎02-21-2020 08:45 PM

Hi All,

As per title, I can't get peer to peer traffic between two remote clients when they are on the same ASA.  Should this work? What areas of config should I be looking at?

Chris

Labels:
0 Helpful
21 Replies 21

Chris Bull
Level 1
Level 1
In response to Aditya Ganjoo

‎04-03-2016 03:23 AM

Cisco Adaptive Security Appliance Software Version 9.4(1)

Hardware:   ASA5585-SSP-20, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)

AnyConnect 4.2.01035

Windows 7

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Chris Bull

‎04-03-2016 04:11 AM

Hi Chris,

Are you fine in sharing the sanitized show run of the ASA config ?

Regards,

Aditya

Please rate helpful posts.

Chris Bull
Level 1
Level 1
In response to Aditya Ganjoo

‎04-03-2016 05:20 AM

Sorry Aditya,

I'd need to go through our compliance team to release a full (redacted) config. Looks like I'm going to get this punted to TAC on Monday.

Chris

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Chris Bull

‎04-03-2016 08:23 AM

Hi Chris,

Yes a live session would help.

Keep us posted if it is resolved by TAC.

Regards,

Aditya

0 Helpful

Chris Bull
Level 1
Level 1
In response to Aditya Ganjoo

‎04-08-2016 09:11 AM

Hi Aditya,

been a busy week, got a redacted running-config here: http://pastebin.com/BBt62xVU

A diagram of the issue is here: https://drive.google.com/open?id=0ByqFsjwf9AyaMDFveXB1cWdkbFk

Hopefully have a TAC case next week it can be a slow process getting approvals.

0 Helpful

Chris Bull
Level 1
Level 1
In response to Aditya Ganjoo

‎05-02-2016 08:46 AM

So,

I finally solved the issue, after many wrong turns, and various delays in getting TAC support (who pretty much suggested the same things as here)

We have external DHCP via microsoft DHCP servers. in order to ensure the DHCP relay worked correctly (and the pool was spread over all the ASAs in the load balanced farm) the INSIDE interface of the ASAs was in the same subnet as the Anyconnect clients.

I tried to change this and use RFC 3011 subnet selection to get the addresses, but the DHCP server (2008r2) refused to respond. (seems to be mixed messages out there as to whether this works, but it didn't for me.)

Instead I changed the subnet mask on the ASA INSIDE to a /28 from the /20 it was.  (the next-hop router stayed on /20) - luckily the router and the ASAs were all in the first /28 of the larger /20.

It still considered the upstream router in subnet, it proxy arped for any clients behind it fine and now the connected subnet doesn't overlap with the clients and the hair-pinning now works.

Cheers

Chris

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Chris Bull

‎05-02-2016 10:19 AM

Hi Chris,

Glad the issue has been resolved.

Regards,

Aditya

0 Helpful
Customers Also Viewed These Support Documents