I am using AnyConnect with Radius on a asa5510. Radius defines which group-policy should apply to each AnyConnect client.
I'd like to use a different vpn-filter for each group-policy group. With no vpn-filter defined, AnyConnect clients can communicate with inside networks and outside (via nat). However, defining any vpn-filter asa group-policy attribute seems to drop all connectivity for AnyConnect client tunnels in that group. Even something as simple as:
access-list FILTER1 extended permit ip any any
group-policy GROUP1 attributes
vpn-filter value FILTER1
...seems to drop all traffic. Deleting the single vpn-filter line restores connectivity.
I'm unsure how to packet-trace traffic entering via AnyConnect to see where the problem lies.
Did you reconnect the AnyConnect vpn after the changes? or you stay connected to the AnyConnect after the changes?
Thanks, Jennifer: yes, I am bringing-up a new AnyConnect session after making the changes, to test. Is there a way to do a "packet trace" which shows packet flow through a vpn-filter?
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
This platform has an ASA 5510 Security Plus license.
System image file is "disk0:/asa825-k8.bin"
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
My AnyConnect client is version 2.5.0217