Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
0
Helpful
2
Replies

Anyconnect on MacOS (Ikev2 IPsec) to Cisco ASR1001-x connected by cannot access any hosts on remote side

Hai Dao Tuan
Level 1
Level 1

‎02-17-2019 07:01 AM - edited ‎02-17-2019 09:20 AM

Hi All

Please advice how to change setting of MAC OS or router if necessary

My company is using Cisco ASR1001-x with IOS: asr1001x-universalk9.16.07.02.SPA.bin.

Due to ASR1001-X doesn't support SSL VPN so I did configure FlexVPN IKEv2. I am following the guide "https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html"

After following configuration, I tested on many OS and see that

   + With Windows 10, with Cisco Anyconnect (anyconnect-win-4.7.00136-predeploy-k9) -> connect successfully, can connect to hosts on VPN side normally (can ping, remote or http to Servers)

   + With Android phone, IOS (IPhone) with Cisco Anyconnect from GG/Apple stores -> connect successfully, can connect to host on VPN side normally (can ping, or access http to Servers)

   *** BUT with MAC OS 10.14 (mojave), 10.13 (high sierra) with Cisco Anyconnect (anyconnect-macos-4.7.00136-predeploy-k9.dmg) -> connect successfully. But cannot connect to any hosts on VPN side by all protocols ping/tracert/remote/http....

I did some checking as

   1.  I used the same profile that was used on Windows 10 but the situation still the same.

   2. After VPN connected, with "netstat -rn" I can see the route to VPN on MacOS but I don't know why all connections were fail.

-----------------

Mac:~$ netstat -rn
Routing tables
Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.68.254     UGSc           75        2     en0

10.136/16          192.168.102.9      UGSc            0        0   utun1  -> this is the split tunnel route

..

------------

   3. On router 1001-X, when I showed "show crypto session detail " I could see the packets increase when ping from MAC OS even the pings were timeout

Inbound:  #pkts dec'ed 34 drop 0 life (KB/Sec) 4607997/2711
        Outbound: #pkts enc'ed 10 drop 0 life (KB/Sec) 4607999/2711

 

Please advise how can I do to use Anyconnect VPN on MacOS to ASR1001-x

The link I followed and also mentioned above: "https://www.cisco.com/c/en/us/support/docs/security/flexvpn/200555-FlexVPN-AnyConnect-IKEv2-Remote-Access.html"

 

Many tks

Hai

 

1 person had this problem
Labels:
Preview file
117 KB
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎02-17-2019 07:49 PM

Are you sure that your provider allow port UDP4500 or UDP500 over your
internet line (whether ADSL or 4G). Some provides block this which is
blocking data flow although the channel is up
0 Helpful

Hai Dao Tuan
Level 1
Level 1
In response to Mohammed al Baqari

‎02-18-2019 12:58 AM

Thanks for advising.

In our offices we have many type of clients, as I mentioned in my post, we can access Servers thru VPN normally with users using Windows 10 (the same AnyConnectLocalPolicy.xml and VPN.xml file as MacOS). Beside, with Android and IOS can also connect and access servers through VPN normally.

Only MacOS cannot access to servers after VPN connected (even the netstat -rn show route added to MacOS).

All users use the same Internet lines So I don't think Internet ISP doesn't do anything.

As I checked on Network Preference, Cisco Anyconnect didn't create any new interface although on netstat -rn it shows utun1 interface.

Because I don't have much experience with MacOS (I can only install Anyconnect and add profile) so I don't know if the issue related to MacOS or if on MacOS I need to do any setting. Please advise.

 

Regards

Hai

0 Helpful
Customers Also Viewed These Support Documents