This is driving me up the wall...
I have a HA pair of 5508-x running 9.8(4)15
Anyconnect version is anyconnect-win-4.7.04056-webdeploy-k9.pkg
I use the VPN client to then RDP to my work desktop, this has worked fine for a few weeks at least. Suddenly with no changes to the NAT configuration I'm getting the following error:
When this issue 1st appeared I upgraded to 9.8, I was on 9.64(34) and the upgrade seemed to resolve the issue for a few days, but then suddenly it's back.
I have a no NAT rule in place which covers everything from the SSL subnet into the subnet that my desktop is in.
Failing over the firewall makes no difference, but I suspect a reboot may kick start it to working again.
Any one any ideas what the hell is causing this?
Can you run a packet-tracer to simulate your RDP traffic and see on which NAT rule it matches for reverse-path check? Till that point, i recommend upgrading to the latest 9.8(4) and clearly reboot the HA pair.
If this keeps happening randomly without any modification changes or routing changes (due to maybe you having multiple ISP's or something alike), i suggest looking closer to your NAT rules, as maybe you have some conflicting NAT rules, which could increase the risk for NAT miss-behaving.
I'm not sure how to use Packettracer with Anyconnect?
If I set the source interface as Outside it doesn't work, and there is no specific Anyconnect interface?
I was being n idiot and picked an IP outside of the SSL VPN network range!
This is the anyconnect result. there's only 1 valid NAT rule
Note the destination IP is in use hence the error, I can't use a different unused IP as that'll fall foul of access rules
Again I've been an idiot, here's the completed Packet Tracer, exact same rule both directions
What blows my mind is one time I was connected and on my RDP session and was booted off, initially I assumed the desktop had crashed or rebooted, but mid session the firewall decided that the NAT rule was asymmetric. I checked and I was the only connected to the firewall.
I figured it out, really appreciate the sounding board!!
the client VPN pool was set up as a /29 yet with available addresses .1 - .20
the network object defined in the no NAT rule was also a /28
so I was getting issued an address outside of the object group. I guess the one time I was online and got booted off, for whatever reason I was re-issued a new IP.