01-25-2017 01:54 PM - edited 02-21-2020 09:08 PM
Head End:Cisco ASA 5525-X - 9.4(1)
Remote Site A: Cisco ASA5506 - 9.5(1)
Remote Site B: Cisco ASA5506 - 9.2.4(18)
AnyConnect Client: iPad v4.0.05066
I want to be able to Connect to the Remote Site from the AnyConnect Client. from the Remote site I can Ping the IP address of the iPad's VPN Connection and it pings fine. Turn off the VPN and the Ping Dies. I Only have the iPad at this point to Test. So I am limited to what I can initiate from the remote site to the AnyConnect Client.
From the AnyConnect Client to the HQ site works great, though any Pinging, RDP, or anything that Originates from the AnyConnect Client to the Remote site fails.
Remote Site A and Remote site B can both ping back and forth.
I'm sure its part of the Crypto Access Lists that are not right, though I can't tell if I'm not getting let in at the remote sites, or if the Head end is blocking it from going out. or If its a NAT thing or?
I thought about posting configs and having someone point out my obvious mistakes, though I want to get better at debugging this kind of stuff. What are some good debug commands to see where this connection is failing?
Thank you,
Scott<-
01-25-2017 03:35 PM
I would start with packet-tracer to see what the ASA does with the packet when it comes in from the Anyconnect client headed toward the remote site. The command would be something like this:
packet-tracer input outside icmp <anyconnect ip> 8 0 <remote lan ip> detailed
Note that since the packet-tracer is not vpn aware, it wil simulate the packet as coming into the outside interface in the clear - so it will check outside ACL. Temporarily exempt this traffic from ACL for running this command. VPN traffic is bypassed from this ACL by default.
You may also want to check the "show crypto ipsec sa peer x.x.x.x | in iden|caps:" output. Will show you how many packets are being encrypted encrypted per peer.
01-26-2017 05:18 AM
I am assuming that your AnyConnect and the site 2 site VPN terminates on the same outside (internet) interface? And AnyConnect has split-tunneling configured?
If this is the case then you need to check the following:
If you are tunneling all traffic check the same things but then you also need to check routing. Chances are that you might need to add a static route for the remote site subnet to point out the outside interface.
--
Please remember to select a correct answer and rate helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide