cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
121
Views
0
Helpful
6
Replies
Beginner

Anyconnect asymmetric NAT

This is driving me up the wall...

 

I have a HA pair of 5508-x running 9.8(4)15 

 

Anyconnect version is anyconnect-win-4.7.04056-webdeploy-k9.pkg

 

I use the VPN client to then RDP to my work desktop, this has worked fine for a few weeks at least. Suddenly with no changes to the NAT configuration I'm getting the following error:

 

anyconnect_!.png

When this issue 1st appeared I upgraded to 9.8, I was on 9.64(34) and the upgrade seemed to resolve the issue for a few days, but then suddenly it's back.

 

I have a no NAT rule in place which covers everything from the SSL subnet into the subnet that my desktop is in.

 

anyconnect_2.png

 

Failing over the firewall makes no difference, but I suspect a reboot may kick start it to working again.

 

Any one any ideas what the hell is causing this?

 

Cheers

 

Rich

6 REPLIES 6
Highlighted
Rising star

Re: Anyconnect asymmetric NAT

Hi,

 

    Can you run a packet-tracer to simulate your RDP traffic and see on which NAT rule it matches for reverse-path check? Till that point, i recommend upgrading to the latest 9.8(4) and clearly reboot the HA pair.

    If this keeps happening randomly without any modification changes or routing changes (due to maybe you having multiple ISP's or something alike), i suggest looking closer to your NAT rules, as maybe you have some conflicting NAT rules, which could increase the risk for NAT miss-behaving.

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: Anyconnect asymmetric NAT

Thanks Cristian

 

I'm not sure how to use Packettracer with Anyconnect? If I set the source interface as Outside it doesn't work, and there is no specific Anyconnect interface?

 

I was being n idiot and picked an IP outside of the SSL VPN network range!

 

This is the anyconnect result. there's only 1 valid NAT rule

 

anyconnect_3.png

 

Note the destination IP is in use hence the error, I can't use a different unused IP as that'll fall foul of access rules

 

Again I've been an idiot, here's the completed Packet Tracer, exact same rule both directions

 

anyconnect_4.png

 

What blows my mind is one time I was connected and on my RDP session and was booted off, initially I assumed the desktop had crashed or rebooted, but mid session the firewall decided that the NAT rule was asymmetric. I checked and I was the only connected to the firewall.

 

Cheers

Highlighted
Rising star

Re: Anyconnect asymmetric NAT

Hi,

 

 Clearly you're lucky :) Upgrade and maybe you really get lucky. Life of an engineer.

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: Anyconnect asymmetric NAT

pretty sure I'm on the very latest firmware!

Highlighted
Rising star

Re: Anyconnect asymmetric NAT

Hi,

 

   From the 9.8(4) train, there is 9.8(4)17 available. Good luck.

 

Regards,

Cristian Matei.

 

 

Highlighted
Beginner

Re: Anyconnect asymmetric NAT

I figured it out, really appreciate the sounding board!!

 

the client VPN pool was set up as a /29 yet with available addresses .1 - .20

 

the network object defined in the no NAT rule was also a /28

 

so I was getting issued an address outside of the object group. I guess the one time I was online and got booted off, for whatever reason I was re-issued a new IP.