Thanks for your reply.

When I ping  the internal interface I can see this on LOG:

Failed to locate egress interface for ICMP from outside:172.17.109.100/768 to 172.17.108.1/0

Yes NAT exempt is configured:

(inside) to (any) source static any any   destination static VPN_POOL VPN_POOL

By default it should be split right? So I think split.

there's no internal host at the moment, I just want to ping the inside interface.

Another thing. I set the default route with my router's IP, I tried both "no options" and "Tunneled" but no luck.

Thanks for your support, I'm really lost with AnyConnect.

Instead of the above NAT statement, please change the "any" for the destination to "outside", and also be specific of the inside subnet.

Example:

object network obj-172.17.108.0

  subnet 172.17.108.0 255.255.255.0

nat (inside,outside) source static obj-172.17.108.0 obj-172.17.108.0 destination static VPN_POOL VPN_POOL

Then "clear xlate" after.

By default is no split tunnel, unless you actually configure the split tunnel list and policy.

I already tried with net obj instead of any but no luck (any was more a test and anyway I can see that the nat rule is working 'cause the translation hits increments).

Ok, I will test on Monday and I will give you an answer asap.

Thanks for your help.

Ok I'm completely lost.

I set up (once again) nat, nat exempt and SPLIT-tunnel IS NOT enabled.

When I ping:

Failed to locate egress interface for ICMP from outside: 172.17.109.100/768 to 172.17.108.1/0

Where 109.100 is the IP of the client connected to the VPN.

Now comes the interesting part:

If I ping from the command line (asa) the 109.100 it DOES NOT WORK. If I ping the same address via the ASDM ... IT WORKS! And the log shows:

Built outbound UDP connection 1635 for outside:172.17.109.100/33453 (172.17.109.100/33453)(LOCAL\testvpn) to identity:194.29.11.148/49154 (194.29.11.148/49154)

here you can see my routes:

Gateway of last resort is 194.29.11.145 to network 0.0.0.0

C    194.29.11.144 255.255.255.248 is directly connected, outside
S    172.17.109.100 255.255.255.255 [1/0] via 194.29.11.145, outside
C    172.17.108.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 194.29.11.145, outside

the second one should be automatically added by asa (at least it's not in my running-conf)

thanks

Can you please check if you have "management-access inside" configured on the ASA?

A copy of the ASA config might help.

Also see if "inspect icmp" is enabled/configured.

Lastly, try to enable telnet on the inside interface for the anyconnect pool subnet and see if you can telnet to the ASA from the AnyConnect session.

Here's my config.

I deleted some parts because are others StS vpn and are not relevant here.

Thanks

Cryptochecksum: a7f11299 8da068a9 cfb62a50 4a9e3a5d
: Saved
: Written by reini1242 at 07:55:29.112 CEST Tue Mar 26 2013
!
ASA Version 9.0(2)
!
hostname ciscoasa1
domain-name test.com
enable password aa encrypted
passwd aa encrypted
names
ip local pool Pool-AnyConnect 172.17.109.100-172.17.109.200 mask 255.255.255.0
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.148 255.255.255.248 standby x.x.x.149
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.17.108.1 255.255.255.0 standby 172.17.108.2
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.1
vlan 7
nameif mpls-Transfer
security-level 70
ip address 172.17.102.2 255.255.255.0
!
interface Ethernet0/2.2
vlan 4
nameif DMZ-GSC
security-level 70
ip address 172.17.101.2 255.255.255.0
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Ethernet0/3.9
vlan 9
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.30.17.190 255.255.255.128 standby 172.30.17.191
!

boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup mpls-Transfer
dns domain-lookup DMZ-GSC
dns domain-lookup management
dns server-group DefaultDNS
domain-name test.com
same-security-traffic permit intra-interface

object network VPN_POOL
subnet 172.17.109.0 255.255.255.0

object network VPN_AnyConnect_Network
subnet 172.17.109.0 255.255.255.0

object network NETWORK_OBJ_172.17.109.0_24
subnet 172.17.109.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Tunnel-CiscoVPN_splitTunnelAcl standard permit any4

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mpls-Transfer 1500
mtu DMZ-GSC 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface SyncFailOver Ethernet0/3
failover polltime unit 3 holdtime 9
failover polltime interface 3 holdtime 15
failover key mykey
failover link SyncFailOver Ethernet0/3
failover interface ip SyncFailOver 10.11.11.253 255.255.255.252 standby 10.11.11.254
no monitor-interface outside
no monitor-interface inside
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo mpls-Transfer
icmp permit any echo-reply mpls-Transfer
icmp permit any echo DMZ-GSC
icmp permit any echo-reply DMZ-GSC
icmp permit any echo-reply management
icmp permit any echo management
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static VPN_AnyConnect_Network VPN_AnyConnect_Network
nat (inside,outside) source static any any destination static NETWORK_OBJ_172.17.109.0_24 NETWORK_OBJ_172.17.109.0_24 no-proxy-arp route-lookup
!
!
nat (inside,outside) after-auto source dynamic ANY_Internal interface
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside
access-group DMZ-GSC_access_in in interface DMZ-GSC
route outside 0.0.0.0 0.0.0.0 x.x.x.145 1

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Radius protocol radius
aaa-server Radius (inside) host 172.17.100.71
timeout 5
key RadiusSecuritySecret
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable 10443
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email ciscoasa1@test.com
subject-name CN=ciscoasa1
serial-number
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ciscoasa1
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint1
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 management
ssh 172.30.17.128 255.255.255.128 management
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.17.100.70
ssl server-version sslv3
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.0.5080-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_RoadWarrior_VPN internal
group-policy GroupPolicy_RoadWarrior_VPN attributes
wins-server none
dns-server value 172.17.100.70 172.17.100.71
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-lock value RoadWarrior_VPN
split-tunnel-policy tunnelall
default-domain value test.com
webvpn
  anyconnect profiles value RoadWarrior_VPN_client_profile type user

group-policy PolicyAnyConnect internal
group-policy PolicyAnyConnect attributes
wins-server none
dns-server value 172.17.100.70
vpn-tunnel-protocol ssl-clientless
default-domain value gorba.com
address-pools value Pool-AnyConnect
webvpn
  url-list none
username testvpn password wQhNqEe9hCGSmPyR encrypted
username testvpn attributes
vpn-simultaneous-logins 1000
service-type remote-access

tunnel-group DefaultRAGroup general-attributes
default-group-policy PolicyAnyConnect

tunnel-group RoadWarrior_VPN type remote-access
tunnel-group RoadWarrior_VPN general-attributes
address-pool Pool-AnyConnect
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_RoadWarrior_VPN
tunnel-group RoadWarrior_VPN webvpn-attributes
group-alias RoadWarrior_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname state
no call-home reporting anonymous
Cryptochecksum:a7f112998da068a9cfb62a504a9e3a5d
: end

it works

the telnet command is not the reason (it was for testing purpose), what I can't understand is why the log told me "failed to locate egress interface".

Anyway, thanks for your great help!