Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8583
Views
20
Helpful
15
Replies

AnyConnect to Internal and Site to Site VPN

Go to solution
Isynth
Level 1
Level 1

‎07-27-2018 11:26 AM - edited ‎07-27-2018 11:32 AM

Dear Community,

I am struggling to get get an connection from the AnyConnect clients to the inernal as well as the Site to Site VPN.

 

Anyconnect Network 10.10.200.0 --> ASA with internal network 10.10.100.0 connected --> remote l2l site 192.168.1.1

 

If I try to ping from the anyconnect client I can see on the asa debug that the ping reaches the asa. If I simulate the ping via packet tracer I get the following output for pings to Internal and Remote Site but only if anyconnect clients are connected and the 10.10.200.0 network is recognized as directly connected. If no anyconnect client is connected the packet tracer succeeds in establishing the connection:

 

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

 

I tried with a permit any any acls but that doesn;t change a thing.

 

Thanks for your input

 

1 person had this problem
Labels:
0 Helpful
15 Replies 15

Go to solution
Roy Harrington
Cisco Employee
Cisco Employee
In response to Isynth

‎12-19-2018 05:37 PM

The access lists on local and remote vpn devices must be mirror images of each other. The acl you removed was part of your site to site cryptomap. You must have had an extra acl that the remote end did not have, thus VPN would not have worked.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents