Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5656
Views
15
Helpful
5
Replies

Anyconnect Clients Cannot Communicate with each other

Go to solution
jrichterkessing
Level 1
Level 1

‎11-13-2013 11:56 AM - edited ‎02-21-2020 07:19 PM

I have an issue that I've been pulling my hair out on.....my telecommuters connect to our corp. network via an AnyConnect VPN connection (version 3.1) to a Cisco ASA5520. I do not have split tunneling enabled for this profile so all traffic should traverse the tunnel and all clients are in the same L3 subnet...as far as their VPN IP address goes. The problem is the telecommuter PCs cannot communicate with each other (pings/RDP/etc.). When watching the log I can see traffic sourced from one destined for another, nothing is getting denied, but they do not communicate. From my corp. network I can communicate with both Anyconnect PCs fine. When I go to Monitoring | Routes in ASDM I can see each host that is connected to the ASA via Anyconnect, and the gateway for each is the default gateway of the ASA.

Am I missing some setting in the VPN profile that is preventing access between these hosts? I would think something would show up in the log....

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎11-16-2013 03:00 PM

Have you enabled hairpinning and also a nat exempte between the AnyConnect users?

same-security-traffic permit intra-interface

object network AnyConnect_users

subnet

nat (outside,outside) source static AnyConnect_users AnyConnect_users destination static AnyConnect_users AnyConnect_users

If this doesnt sort out your issue, please post a full sanitized configuration of your ASA.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎11-16-2013 03:00 PM

Have you enabled hairpinning and also a nat exempte between the AnyConnect users?

same-security-traffic permit intra-interface

object network AnyConnect_users

subnet

nat (outside,outside) source static AnyConnect_users AnyConnect_users destination static AnyConnect_users AnyConnect_users

If this doesnt sort out your issue, please post a full sanitized configuration of your ASA.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
jrichterkessing
Level 1
Level 1
In response to Marius Gunnerud

‎11-20-2013 12:33 PM

Thanks for the reply Marius! I fixed this by just running "same-security-traffic permit intra-interface" on the ASA, I did not need to add the hairpin natting.

Thanks for the help....Jeff

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to jrichterkessing

‎11-20-2013 12:35 PM

Glad you got it working!

Thank you for rating the post.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
wbsousa@bni.ao
Level 1
Level 1
In response to Marius Gunnerud

‎03-26-2020 08:57 AM

Hi,

 

I have exactly the same issue, i did what u suggested and the problem still remains, what else can i do?

 

Kind Regards

WS

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to wbsousa@bni.ao

‎03-26-2020 09:38 AM

Hi,

 

  Start a new thread and post the config.

 

Regards,

Cristian Matei.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents