Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2390
Views
5
Helpful
7
Replies

anyconnect access site-to-site VPN in branch office problem

Go to solution
Massimoriboli
Level 1
Level 1

‎11-04-2016 04:15 AM - edited ‎02-21-2020 09:02 PM

Hi all,
i have a main site with a x.x.x.x address with an active dhcp, all are behind an ASA 5512-x.
I have a branch office with y.y.y.y address with an active dhcp and 3 vlan with ip-helper active.

I setup a site-to-site VPN with IKE2 and preshared, all works fine.
On the main site i have setup a VPN with anyconnect, but i cannot reach my branch office, so i goggled a bit and i fund this page:

http://www.petenetlive.com/KB/Article/0000040

and i setup the "hairpinning", all seems to work fine, but it's not true... the dhcp on branch site is not working and when i a client try to registrate, it's seems to take the ip address, but  suddenly lost it and ask again for another ip, so this generate a infinite loop, and at the end my scope is full of "BAD ADDRESS".
For now the only drastic solution that i have taken is to disable the nat created for the hairpinning on the branch office, an all are normalized and the dhcp start working again in the correct mode.
Someone could help me?

Best Regards
Massimo Riboli

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to Massimoriboli

‎11-08-2016 10:25 AM

Hi Massimo,
Since your Inside interface is not used as egress for any NAT there shouldn't be any side effect on disabling proxy ARP on it. Disabling Proxy ARP
The NAT exempt shouldn't cause any conflict with the DHCP but I know from experience that proxy arp and a NAT (any,any) will.
HTH
Pablo

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Pablo
Cisco Employee
Cisco Employee

‎11-04-2016 01:19 PM

Hi Massimo,

Can you provide a sanitized copy of the configuration from the 2 sites?
__ __
Pablo

0 Helpful

Go to solution
Massimoriboli
Level 1
Level 1
In response to Pablo

‎11-07-2016 02:55 AM

Hi Pablo,

sorry for the delay...

The configuration on both ASA are little dirty, there are more than one crypromap access list, but only one is used..

So i use the command sh crypto ipsec sa on both appliance, this is the main site:

interface: outside
    Crypto map tag: outside_map0, seq num: 1, local addr: ========

     access-list outside_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 10.100.1.0 255.255.255.0

this  is the branch site:

interface: OUTSIDE
    Crypto map tag: OUTSIDE_map, seq num: 1, local addr: ========

access-list OUTSIDE_cryptomap extended permit ip 10.100.1.0 255.255.255.0 192.168.0.0 255.255.255.0

It's the first time that i sanitize a configuration, i hope that i've done it in the right way.

Best Regards

Massimo Riboli

Preview file
12 KB
Preview file
18 KB
0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to Massimoriboli

‎11-07-2016 05:41 PM

Massimo,
Configuration wise the VPN looks in good shape. I don't see how the u-turning NAT exempt on the main office will affect the DHCP services on the branch.
One thing that might be causing some addressing conflicts is the (any,any) NAT entry defined on the branch office, this in conjunction with the proxy arp feature on the ASA are a really bad combination.
There are a couple of things that I'd like you to try:
a) Disable proxy arp on the Inside interface of the branch office with the command:
ASA(config)# sysopt noproxyarp Inside
b) Reconfigure the following NAT as follows:
object network videoconferenza
nat (INSIDE,OUTSIDE) static videoconf_public
Right after this, do a clear xlate, clear arp on the branch ASA and give it a new try.
HTH
Pablo
0 Helpful

Go to solution
Massimoriboli
Level 1
Level 1
In response to Pablo

‎11-07-2016 11:36 PM

i don't know if  i have posted that in the branch site i  have a DHCP with 3 VLAN and ip-helper active.

what i can see if that i activate the NAT that enable hairpinning

nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_10.100.1.0_24 NETWORK_OBJ_10.100.1.0_24 destination static nami_pool nami_pool inactive

the DHCP will be crazy.

Only one question, what is the side effect of disabling proxyarp on the inside interface ?

Please be patient.. i'm not so confident with ASA.

Best Regards

Massimo Riboli 

0 Helpful

Go to solution
Pablo
Cisco Employee
Cisco Employee
In response to Massimoriboli

‎11-08-2016 10:25 AM

Hi Massimo,
Since your Inside interface is not used as egress for any NAT there shouldn't be any side effect on disabling proxy ARP on it. Disabling Proxy ARP
The NAT exempt shouldn't cause any conflict with the DHCP but I know from experience that proxy arp and a NAT (any,any) will.
HTH
Pablo
0 Helpful

Go to solution
Massimoriboli
Level 1
Level 1
In response to Pablo

‎11-10-2016 05:10 AM

thanks Pablo,

i will try soon when i have the next maintenance Windows.

I'll let you know if i have success.

Best Regards

Massimo Riboli

0 Helpful

Go to solution
Massimoriboli
Level 1
Level 1
In response to Massimoriboli

‎02-28-2017 01:40 AM

Hi Pablo,

sorry for the delay of the response, but the client is hard to convince about the maintenance Windows... :(

So i'm glad to communicate that you solution works like a charm.

Many, many thanks.

Best Regards

Massimo Riboli

Customers Also Viewed These Support Documents