06-28-2010 07:48 PM
Hi all
I have an interesting problem with a Cisco ASA 5540 and returning traffic to a vpn client being dropped.
The solution looks like this
vpn-client --> [ASA5540] ----> Cat6k -----> (TLS MAN ) ----> [Cat4k] ----> <subnet on Cat 4k 10.161.0.0 /22>
The Cat4k destination interface is as follows
interface Vlan1
ip address 10.161.0.1 255.255.252.0
no ip redirects
The ASA can ping the ingress and egress interfaces of the Cat6k
The ASA can across the Transparent LAN service (MAN) onto a IP address on the CAT4k
The ASA can ping any address on the Cat4k within the 10.161.0.0 /22 addressed vlan.
But when a VPN client establishes a remote access IPSEC tunnel onto the ASA,
The vpn client can ping the ingress and egress interfaces of the Cat6k
The vpn client can ping across the Transparent LAN service (MAN) onto an IP address on the Cat4k
BUT the vpn client can only ping hosts within the 10.161.0.0/22 address space from 10.161.1.1 up to 10.161.3.254
All addresses from 10.161.0.1 up to 10.161.0.255 are not reachable by either TCP or ICMP.
I performed a real-time captures on the ingress of the inside interface of the ASA to see if the traffic was actually getting back to the ASA, to rule out a routing or switching problem.
The following is a successful test from vpn client 10.162.104.60 to 10.161.2.2 /22
<hostname># capture test interface inside real-time match icmp host 10.161.2.1$
1: 12:18:21.825183 10.162.104.60 > 10.161.2.1: icmp: echo request
2: 12:18:21.826296 10.161.2.1 > 10.162.104.60: icmp: echo reply
3: 12:18:22.825900 10.162.104.60 > 10.161.2.1: icmp: echo request
4: 12:18:22.831545 10.161.2.1 > 10.162.104.60: icmp: echo reply
The client receives a reply
<host>$ ping 10.161.2.1
PING 10.161.2.1 (10.161.2.1): 56 data bytes
64 bytes from 10.161.2.1: icmp_seq=0 ttl=126 time=6.270 ms
64 bytes from 10.161.2.1: icmp_seq=1 ttl=126 time=11.688 ms
The following is an unsuccessful test from vpn client 10.162.104.60 to 10.161.0.1 in the same subnet
It shows the echo reply traffic actually coming back to the ASA
Although the vpn client does not receive the packet.
<host>$ ping 10.161.0.1
PING 10.161.0.1 (10.161.0.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
(This was tested on both Windows Cisco vpn client and MAC vpn client version 4.9.01.0180)
Yet the ASA can ping both ip addresses from its inside interface
06-28-2010 09:09 PM
Further to my post:
ASA version:
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(3)
06-29-2010 04:30 AM
Split tunnel ACL should be standard ACL. Base on your post, I am under the impression that split tunnel ACL is extended ACL, but pls ignore if it's standard ACL.
Any chance you can post the config of the ASA? Base on the output provided so far, config seems to be OK, and seems like ASA is getting the ICMP echo and echo reply. Would be interested to see if it's actually being forwarded out the VPN tunnel.
Apart from ping, can you try TCP based application and see how it goes?
07-22-2010 07:15 PM
Resolved the problem.
ASA had a static site to site vpn setup to an overseas location.
The protected access list for this site to site vpn covered traffic destined for 10.0.0.0/8 (access list was rather broad)
Return traffic for the RA vpn users was being then being flagged for encryption into the site to site vpn instead of the RA vpn users connection.
Amended the protected access-list for the site to site vpn that denied the source addresses of the RA vpn pool.
It still does not explain why the RA vpn connections would respond to only part of the subnet, it should have been all or nothing.
><
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: