This one is confusing me. I have a pretty simple VPN configuration and all of the sudden new users are having connection issues. I'm getting Asymmetric NAT errors in the logs, but at the same time I'm getting users in the same VPN group and IP ranges that are working fine. Syslog below
Sep 29 10:03:14 <VPN device> Sep 29 2011 10:03:14: %ASA-6-302015: Built inbound UDP connection 521606 for RAS:172.31.172.171/56147 (172.31.172.171/56147) to VPN:192.168.25.7/53 (192.168.25.7/53) (<UID>)
Sep 29 10:03:14 <VPN device> Sep 29 2011 10:03:14: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src RAS:172.31.172.179/63589 dst VPN:192.168.25.7/53 denied due to NAT reverse path failure
Sep 29 10:03:14 <VPN device> Sep 29 2011 10:03:14: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src RAS:172.31.172.177/52619 dst VPN:192.168.25.7/53 denied due to NAT reverse path failure
Sep 29 10:03:14 <VPN device> Sep 29 2011 10:03:14: %ASA-6-302016: Teardown UDP connection 521606 for RAS:172.31.172.171/56147 to VPN:192.168.25.7/53 duration 0:00:00 bytes 125 (<UID>)
Config below:
nat (VPN) 0 access-list VPN_nat0_outbound
access-list VPN_nat0_outbound extended permit ip host 192.168.25.7 172.31.172.160 255.255.255.240
access-list VPN_nat0_outbound extended permit ip host 192.168.25.6 172.31.172.160 255.255.255.240
access-list VPN-ExternalUsers_SplitTunnelACL standard permit host 192.168.25.7
access-list VPN-ExternalUsers_SplitTunnelACL standard permit host 192.168.25.6
group-policy VPN-ExternalUsers internal
group-policy VPN-ExternalUsers attributes
banner <removed>
dns-server value 192.168.25.7 192.168.25.6
vpn-simultaneous-logins 6
vpn-idle-timeout 60
vpn-session-timeout none
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-ExternalUsers_SplitTunnelACL
default-domain value <domain>
address-pools value VPN-ExternalUsers
tunnel-group VPN-ExternalUsers type remote-access
tunnel-group VPN-ExternalUsers general-attributes
address-pool VPN-ExternalUsers
authentication-server-group ProdACS
accounting-server-group ProdACS
default-group-policy VPN-ExternalUsers
tunnel-group VPN-ExternalUsers webvpn-attributes
group-alias VPN-ExternalUsers enable
group-url https://<URL>/VPN-ExternalUsers enable
The mystery to me is why is it only new VPN connections that are having the asymmetric NAT errors and not already existing connections. Any insight would be greatly appreciated.
