Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
912
Views
0
Helpful
6
Replies

Anyconnect asymmetric NAT

richard.priest
Level 1
Level 1

‎03-26-2020 07:18 AM

This is driving me up the wall...

 

I have a HA pair of 5508-x running 9.8(4)15 

 

Anyconnect version is anyconnect-win-4.7.04056-webdeploy-k9.pkg

 

I use the VPN client to then RDP to my work desktop, this has worked fine for a few weeks at least. Suddenly with no changes to the NAT configuration I'm getting the following error:

 

anyconnect_!.png

When this issue 1st appeared I upgraded to 9.8, I was on 9.64(34) and the upgrade seemed to resolve the issue for a few days, but then suddenly it's back.

 

I have a no NAT rule in place which covers everything from the SSL subnet into the subnet that my desktop is in.

 

anyconnect_2.png

 

Failing over the firewall makes no difference, but I suspect a reboot may kick start it to working again.

 

Any one any ideas what the hell is causing this?

 

Cheers

 

Rich

Labels:
0 Helpful
6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 08:35 AM

Hi,

 

    Can you run a packet-tracer to simulate your RDP traffic and see on which NAT rule it matches for reverse-path check? Till that point, i recommend upgrading to the latest 9.8(4) and clearly reboot the HA pair.

    If this keeps happening randomly without any modification changes or routing changes (due to maybe you having multiple ISP's or something alike), i suggest looking closer to your NAT rules, as maybe you have some conflicting NAT rules, which could increase the risk for NAT miss-behaving.

 

Regards,

Cristian Matei.

0 Helpful

richard.priest
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 11:53 AM - edited ‎03-26-2020 12:11 PM

Thanks Cristian

 

I'm not sure how to use Packettracer with Anyconnect? If I set the source interface as Outside it doesn't work, and there is no specific Anyconnect interface?

 

I was being n idiot and picked an IP outside of the SSL VPN network range!

 

This is the anyconnect result. there's only 1 valid NAT rule

 

anyconnect_3.png

 

Note the destination IP is in use hence the error, I can't use a different unused IP as that'll fall foul of access rules

 

Again I've been an idiot, here's the completed Packet Tracer, exact same rule both directions

 

anyconnect_4.png

 

What blows my mind is one time I was connected and on my RDP session and was booted off, initially I assumed the desktop had crashed or rebooted, but mid session the firewall decided that the NAT rule was asymmetric. I checked and I was the only connected to the firewall.

 

Cheers

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to richard.priest

‎03-26-2020 12:18 PM

Hi,

 

 Clearly you're lucky :) Upgrade and maybe you really get lucky. Life of an engineer.

 

Regards,

Cristian Matei.

0 Helpful

richard.priest
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 12:33 PM

pretty sure I'm on the very latest firmware!

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to richard.priest

‎03-26-2020 01:12 PM

Hi,

 

   From the 9.8(4) train, there is 9.8(4)17 available. Good luck.

 

Regards,

Cristian Matei.

 

 

0 Helpful

richard.priest
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 01:57 PM

I figured it out, really appreciate the sounding board!!

 

the client VPN pool was set up as a /29 yet with available addresses .1 - .20

 

the network object defined in the no NAT rule was also a /28

 

so I was getting issued an address outside of the object group. I guess the one time I was online and got booted off, for whatever reason I was re-issued a new IP.

0 Helpful
Customers Also Viewed These Support Documents