Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
904
Views
0
Helpful
6
Replies

Anyconnect over Site to Site Fails

RJJ36838
Level 1
Level 1

‎04-18-2020 06:45 AM

I have a situation where I need the Anyconnect VPN clients to reach a remote site over a site to site tunnel.

After troubleshooting I restarted the configuration by following the steps here: https://www.petenetlive.com/KB/Article/0000040

I used the 8.3 or newer steps because everything is on v9+.

 

The one question I had is the Anyconnect pool of IPs is not a full /24 subnet its .100 to .254. All the configuration is using /24 to route. Now I know the pool is in that /24 thats being routed but would it matter that it is not handing out the whole subnet to Anyconnect clients?

 

The flow looks like this:

AC Client -> HQ -> Remote

 

I pinged workstations at each site to test connectivity, here was the results:

AC -> HQ = replied

AC -> Remote = no reply

 

HQ -> AC = replied

HQ -> Remote = replied

 

Remote -> AC = replied

Remote -> HQ = replied

 

So it looks like just the traffic from the Anyconnect client to the Remote site is not working but everything else is. 

 

Any help or direction would be appreciated.

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎04-18-2020 06:50 AM

Hi,
It's possibly a NAT issue. Can you provide the output of "show nat detail" and your configuration, we can probably work it out.

HTH
0 Helpful

RJJ36838
Level 1
Level 1
In response to Rob Ingram

‎04-24-2020 06:35 AM

Looks like my email notifications didnt work. I will get this info together, sorry for the late reply.
0 Helpful

RJJ36838
Level 1
Level 1
In response to Rob Ingram

‎04-24-2020 06:44 AM

Here is the NATs pertaining to the AnyConnect. I am not comfortable posting the entire code because there are other sites and a lot of information in there.

 

1.1.0.0/24 is HQ LAN

2.2.2.0/24 is AnyConnect LAN

3.3.3.0 is Remote Office LAN

 

7 (inside) to (any) source static obj-1.1.0.0 obj-1.1.0.0 destination static ACLan ACLan no-proxy-arp
translate_hits = 613498, untranslate_hits = 683943
Source - Origin: 1.1.0.0/24, Translated: 1.1.0.0/24
Destination - Origin: 2.2.2.0/24, Translated: 2.2.2.0/24

 


20 (outside) to (outside) source static obj-ACLan obj-ACLan destination static obj-RemoteLan obj-RemoteLan no-proxy-arp route-lookup
translate_hits = 33891, untranslate_hits = 33891
Source - Origin: 2.2.2.0/24, Translated: 2.2.2.0/24
Destination - Origin: 3.3.3.0/24, Translated: 3.3.3.0/24

0 Helpful

Rob Ingram
VIP
VIP
In response to RJJ36838

‎04-24-2020 07:29 AM

Looks like those NAT rules are being matched ok, do you have an ACL that could be blocking traffic?

Run packet-tracer and provide the output, e.g:-
"packet-tracer input outside tcp 2.2.2.2 3000 3.3.3.3 80"

What about the configuration of the remote site, what about the NAT configuration?
0 Helpful

RJJ36838
Level 1
Level 1
In response to Rob Ingram

‎04-24-2020 09:19 AM

Here is the packet trace, I will work on the remote NAT next.

 


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static ACLan ACLan destination static RemoteLan RemoteLan no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 3.3.3.30/80 to 3.3.3.30/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object-group ACLan object-group DM_INLINE_NETWORK_8
object-group network ACLan
network-object 2.2.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object 1.1.0.0 255.255.255.0
network-object 3.3.3.0 255.255.255.0
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static ACLan ACLan destination static RemoteLan RemoteLan no-proxy-arp route-lookup
Additional Information:
Static translate 2.2.2.20/3000 to 2.2.2.20/3000

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

RJJ36838
Level 1
Level 1
In response to RJJ36838

‎04-24-2020 09:41 AM

NAT from the remote ASA:

Manual NAT Policies (Section 1)
1 (UserData) to (any) source static 3.3.3.0 3.3.3.0 destination static 1.1.0.0 1.1.0.0 no-proxy-arp route-lookup
translate_hits = 4267916, untranslate_hits = 4282086
Source - Origin: 3.3.3.0/24, Translated: 3.3.3.0/24
Destination - Origin: 1.1.0.0/24, Translated: 1.1.0.0/24
2 (any) to (any) source static 3.3.3.0 3.3.3.0 destination static 2.2.2.0 2.2.2.0 no-proxy-arp
translate_hits = 34690, untranslate_hits = 34690
Source - Origin: 3.3.3.0/24, Translated: 3.3.3.0/24
Destination - Origin: 2.2.2.0/24, Translated: 2.2.2.0/24
8 (UserData) to (outside) source static 1.1.0.0 1.1.0.0 destination static 2.2.2.0 2.2.2.0
translate_hits = 0, untranslate_hits = 0
Source - Origin: 1.1.0.0/24, Translated: 1.1.0.0/24
Destination - Origin: 2.2.2.0/24, Translated: 2.2.2.0/24

0 Helpful
Customers Also Viewed These Support Documents