Solved: Bilal,Looking at the

Bilal Nawaz · ‎08-21-2015

Hi team,

I'm not great when it comes to VPN and SSL on the ASA so i'm looking for some assistance please. At the moment we have anyconnect rolled out to laptops. The idea is that they SSL VPN in to the ASA and then have access to corporate resources as well as internet. But we want the internet access to go through the ASA, which is the bit that has stopped working. Maybe a config change or something, not sure yet. I have checked the NAT and rules, the usual, and it seems to be okay. Apparently some users are working, but some arent. I have a laptop with client and it is not working. Attached is config.

Any assistance with config and troubleshooting would be much appreciated.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Dinesh Moudgil · ‎08-21-2015

Hello Bilal,

There seems to be some issue cause I am not able to see your post when I login but it comes up without login.

Please add this command and let me know how it fares:-

nat (DMZ-6) 1 172.26.255.0 255.255.255.0

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎08-21-2015

Bilal,

Looking at the configuration,

nat (outside) 1 172.26.255.0 255.255.255.0
global (outside) 1 interface
same-security-traffic permit intra-interface
anyconnectpool 172.26.255.129-172.26.255.254 mask 255.255.255.128
group-policy SBL attributes
dns-server value 10.211.244.213
split-tunnel-policy tunnelall

It looks correct. Can you specify if only web traffic is affected or even pings are not working ?

For test ,try running continuous pings from client and run the following command on the ASA:
capture asp type asp-drop all
show cap asp | in <client's assigned pool private IP>

This output should show you if the packets are getting dropped on the ASA.
You can also run "show asp drop" in regular interval to see which counters are incremented.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Bilal Nawaz · ‎08-21-2015

Hi Dinesh,

Thanks for replying. Here is the output

GM-ASA-WWW01/pri/act# show cap asp | inc 172.26.255.164
20: 13:53:53.303542 802.1Q vlan#14 P0 172.26.255.164 > 8.8.8.8: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
GM-ASA-WWW01/pri/act# show cap asp | inc 172.26.255.164
20: 13:53:53.303542 802.1Q vlan#14 P0 172.26.255.164 > 8.8.8.8: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
GM-ASA-WWW01/pri/act# show cap asp | inc 172.26.255.164
20: 13:53:53.303542 802.1Q vlan#14 P0 172.26.255.164 > 8.8.8.8: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

GM-ASA-WWW01/pri/act# show asp drop

Frame drop:
No valid adjacency (no-adjacency)                                        12514
No route to host (no-route)                                               5904
Reverse-path verify failed (rpf-violated)                                26597
Flow is denied by configured rule (acl-drop)                            264879
NAT-T keepalive message (natt-keepalive)                                    26
First TCP packet not SYN (tcp-not-syn)                                   49312
Bad TCP flags (bad-tcp-flags)                                               97
TCP failed 3 way handshake (tcp-3whs-failed)                            121376
TCP RST/FIN out of order (tcp-rstfin-ooo)                               299079
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                          1993
TCP SYNACK on established conn (tcp-synack-ooo)                           1338
TCP packet SEQ past window (tcp-seq-past-win)                            14377
TCP invalid ACK (tcp-invalid-ack)                                          332
TCP replicated flow pak drop (tcp-fo-drop)                               25273
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                    1196
TCP RST/SYN in window (tcp-rst-syn-in-win)                                1571
TCP packet failed PAWS test (tcp-paws-fail)                               4855
CTM returned error (ctm-error)                                               2
IPSEC tunnel is down (ipsec-tun-down)                                        3
Early security checks failed (security-failed)                            2214
Slowpath security checks failed (sp-security-failed)                     17907
IP option drop (invalid-ip-option)                                         840
ICMP Inspect seq num not matched (inspect-icmp-seq-num-not-matched)          2
DNS Inspect id not matched (inspect-dns-id-not-matched)                     61
Interface is down (interface-down)                                          93
Dropped pending packets in a closed socket (np-socket-closed)              919
SVC Module does not have a session (mp-svc-no-session)                    1715
SVC Module is in flow control (mp-svc-flow-control)                       7859

Last clearing: Never

Flow drop:
Flow is denied by access rule (acl-drop)                                   324
NAT failed (nat-failed)                                                   7492
NAT reverse path failed (nat-rpf-failed)                                  6824
Inspection failure (inspect-fail)                                         1616
SSL handshake failed (ssl-handshake-failed)                              24658
SSL record decryption failed (ssl-record-decrypt-error)                      2
SSL received close alert (ssl-received-close-alert)                         22
SVC replacement connection established (svc-replacement-conn)                7

I am pinging 8.8.8.8 and im getting request timed out.... What next :)

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Dinesh Moudgil · ‎08-21-2015

While running the test pings, please clear the counters by "clear asp drop" and then run the command "show asp drop" in interval of 5 seconds 2 3 times and share the output.
Also can you please share output of
"show run all sysopt"
"show shun"
"show run all group-policy SBL"

Since you mentioned few machines are working fine, can you confirm if you have specific attributes applied for those users.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Bilal Nawaz · ‎08-21-2015

No there shouldnt be any specific attributes to users. all should be the same.

GM-ASA-WWW01/pri/act# show asp drop

Frame drop:
No route to host (no-route)                                                 13
Reverse-path verify failed (rpf-violated)                                   50
Flow is denied by configured rule (acl-drop)                               175
First TCP packet not SYN (tcp-not-syn)                                       9
TCP failed 3 way handshake (tcp-3whs-failed)                               282
TCP RST/FIN out of order (tcp-rstfin-ooo)                                  444
TCP SYNACK on established conn (tcp-synack-ooo)                              1
TCP packet SEQ past window (tcp-seq-past-win)                                8
TCP ACK in 3 way handshake invalid (tcp-discarded-ooo)                      51
TCP RST/SYN in window (tcp-rst-syn-in-win)                                   2
TCP packet failed PAWS test (tcp-paws-fail)                                 12
Slowpath security checks failed (sp-security-failed)                         4

Last clearing: 14:49:46 BST Aug 21 2015 by nawazb

Flow drop:
NAT failed (nat-failed) 6

Last clearing: 14:49:46 BST Aug 21 2015 by nawazb
GM-ASA-WWW01/pri/act#
GM-ASA-WWW01/pri/act# clear asp drop
GM-ASA-WWW01/pri/act# show asp drop

Frame drop:
Reverse-path verify failed (rpf-violated)                                   10
Flow is denied by configured rule (acl-drop)                                27
First TCP packet not SYN (tcp-not-syn)                                       1
TCP failed 3 way handshake (tcp-3whs-failed)                                23
TCP RST/FIN out of order (tcp-rstfin-ooo)                                   35
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            17
TCP packet SEQ past window (tcp-seq-past-win)                                2
Slowpath security checks failed (sp-security-failed)                         3
Dropped pending packets in a closed socket (np-socket-closed)                1

Last clearing: 14:50:06 BST Aug 21 2015 by nawazb

Flow drop:
Inspection failure (inspect-fail) 2

Last clearing: 14:50:06 BST Aug 21 2015 by nawazb
GM-ASA-WWW01/pri/act#
GM-ASA-WWW01/pri/act# clear asp drop
GM-ASA-WWW01/pri/act# show asp drop

Frame drop:
No route to host (no-route)                                                  1
Reverse-path verify failed (rpf-violated)                                    4
Flow is denied by configured rule (acl-drop)                                19
First TCP packet not SYN (tcp-not-syn)                                       1
TCP failed 3 way handshake (tcp-3whs-failed)                                11
TCP RST/FIN out of order (tcp-rstfin-ooo)                                   20
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            10
TCP packet SEQ past window (tcp-seq-past-win)                                1
Dropped pending packets in a closed socket (np-socket-closed)                1

Last clearing: 14:50:20 BST Aug 21 2015 by nawazb

Flow drop:
NAT failed (nat-failed) 2

Last clearing: 14:50:20 BST Aug 21 2015 by nawazb
GM-ASA-WWW01/pri/act#
GM-ASA-WWW01/pri/act# show asp drop

Frame drop:
No route to host (no-route)                                                  8
Reverse-path verify failed (rpf-violated)                                   28
Flow is denied by configured rule (acl-drop)                               108
First TCP packet not SYN (tcp-not-syn)                                      16
TCP failed 3 way handshake (tcp-3whs-failed)                                74
TCP RST/FIN out of order (tcp-rstfin-ooo)                                  214
TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                            22
TCP packet SEQ past window (tcp-seq-past-win)                                4
TCP RST/SYN in window (tcp-rst-syn-in-win)                                  10
Dropped pending packets in a closed socket (np-socket-closed)                1

Last clearing: 14:50:20 BST Aug 21 2015 by nawazb

Flow drop:
NAT failed (nat-failed) 4

Last clearing: 14:50:20 BST Aug 21 2015 by nawazb
GM-ASA-WWW01/pri/act# clear asp drop
GM-ASA-WWW01/pri/act# show asp drop

Frame drop:
No route to host (no-route)                                                  4
Reverse-path verify failed (rpf-violated)                                   10
Flow is denied by configured rule (acl-drop)                                27
TCP failed 3 way handshake (tcp-3whs-failed)                                28
TCP RST/FIN out of order (tcp-rstfin-ooo)                                   53
TCP packet SEQ past window (tcp-seq-past-win)                                2
TCP RST/SYN in window (tcp-rst-syn-in-win)                                   1

Last clearing: 14:50:32 BST Aug 21 2015 by nawazb

Flow drop:

Last clearing: 14:50:32 BST Aug 21 2015 by nawazb
GM-ASA-WWW01/pri/act#

GM-ASA-WWW01/pri/act# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp DMZ-1
no sysopt noproxyarp DMZ-2
no sysopt noproxyarp DMZ-4
no sysopt noproxyarp DMZ-5
no sysopt noproxyarp DMZ-6

GM-ASA-WWW01/pri/act# show shun
GM-ASA-WWW01/pri/act#

GM-ASA-WWW01/pri/act# show run all group-policy SBL
group-policy SBL internal
group-policy SBL attributes
wins-server none
dns-server value 10.211.244.213
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
default-domain value nel.local
webvpn
svc profiles value test
svc ask enable default webvpn

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Bilal Nawaz · ‎08-21-2015

I think I realise what the problem is. My connection is coming from DMZ6 instead of the outside interface.

On the DMZ6 interface there is no NAT for internet traffic for IP's in the DHCP range. Could you help me with the configuration to allow this?

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Dinesh Moudgil · ‎08-21-2015

Hello Bilal,

There seems to be some issue cause I am not able to see your post when I login but it comes up without login.

Please add this command and let me know how it fares:-

nat (DMZ-6) 1 172.26.255.0 255.255.255.0

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Bilal Nawaz · ‎09-03-2015

Thanks Dinesh, its working perfectly now.

Bilal

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Anyconnect SSL internet access - U Turn