Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2258
Views
20
Helpful
7
Replies

ASA Remote Access VPN disconnecting after subnet change

Go to solution
munaf shaikh
Level 1
Level 1

‎08-25-2022 07:45 AM

Hi Folks, 

Background Info : 

  • We are running ASA image on Firepower.
  • Internet connection is terminated on ASA's outside interface via a switch and Internet router.
  • Subnet on outside interface is /24, for example : 193.111.140.174/24 
  • Remote users connect VPN using AnyConnect client on IP 193.111.140.174

Problem :

Due to a requirement, we changed subnet of the outside interface to /30. After that, VPN connects and then disconnects automatically and does not connect back. After reverting subnet to /24, no issue is faced.

Have found below certificate errors from Anyconnect logs. Not sure if it's related to the issue.

 

******************************************


No profile available for host webvpn2.charles-stanley.co.uk.


******************************************

Profile () not found. Using default settings.


******************************************


EKU not found in certificate: 1.3.6.1.5.5.7.3.2


******************************************


Extended key usage verification failed


******************************************


Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

 

******************************************


Return Code: -31391722 (0xFE210016)
Description: CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_FAILED:The certificate did not contain the required Extended Key Usages

 

******************************************


Ignoring client certificate because it does not contain the required EKU extension. Certificate details:
Store: Microsoft User, Subject: CN=16B2E0B04C989E4986686D4EED0EB977::Sh****@**tech.com::https://ds1687.awmdm.com/DeviceServices::::commonproject, Common Name: 16B2E0B04C989E4986686D4EED0EB977::Sh****@**tech.com::https://ds1687.awmdm.com/DeviceServices::::commonproject, Issuer: CN=AirWatchCa, Not Valid Before: Jul 13 07:26:46 2022 GMT, Not Valid After: Jul 11 07:26:46 2032 GMT, Serial: 045258, SHA1 Fingerprint: 8CCEBE94FCFD2D943C3F1679B378A610BADD4933


******************************************


EKU not found in certificate: 1.3.6.1.5.5.7.3.2

 

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎08-25-2022 08:43 AM

this routing issue not Anyconnect I think. 
in Internet Router check both /24 and /30 may be there is conflict with other subnet  

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎08-25-2022 08:43 AM

this routing issue not Anyconnect I think. 
in Internet Router check both /24 and /30 may be there is conflict with other subnet  

Go to solution
munaf shaikh
Level 1
Level 1
In response to MHM Cisco World

‎08-26-2022 11:12 AM

Thanks Mate.

We have also observed routing issue. However, we are unable to find the route cause for this strange behavior.

As soon as we change the subnet to a non /24 subnet on outside interface of the ASA, the pings to outside interface IP stops.

And strangely, when we change subnet back to /24 , pings resume. 

On the internet router, the LAN interface of it, which connects to intermediate switch, is also configured with a /24 subnet.

 

Go to solution
MHM Cisco World
VIP
VIP
In response to munaf shaikh

‎08-26-2022 11:32 AM

in Internet router do
show ip route  193.111.140.174/32  longest 
see what the egress interface the router use.

0 Helpful

Go to solution
munaf shaikh
Level 1
Level 1
In response to MHM Cisco World

‎08-26-2022 12:34 PM

Route for 193.111.140.174/32 shows egress interface as LAN interface of Internet router which has /24 subnet IP 193.111.140.110/24 

Physical Setup : ASA (outside Interface) ---> Switch ------> (LAN interface) Internet Router  
Working Setup : ASA outside interface ( /24 subnet) ---> Switch ------>  Internet Router LAN ( /24 subnet)
Not Working     : ASA outside interface ( /30 subnet) ---> Switch ------>  Internet Router LAN ( /24 subnet)

Any non /24 subnet on ASA outside interface stops pings and network connectivity to itself.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to munaf shaikh

‎08-26-2022 12:47 PM

Just step by step with me 
you change the ASA outside to be /30 
you change also router LAN interface to be /30 ?
one side is /30 other /24 meaning the host of /24 is broadcast of /30
this I think Issue. 

Go to solution
munaf shaikh
Level 1
Level 1
In response to MHM Cisco World

‎09-01-2022 08:38 AM

Issue is resolved after changing the ASA's outside subnet mask as well as the IP to new IP 193.111.140.113/25.

This has put the ASA IP and Internet routers LAN IP 193.111.140.10 and HSRP IP of Internet router 193.111.140.110, all in common subnet mask, and hence they can now talk to each other over a switch.
Thank you for the guidance.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to munaf shaikh

‎09-01-2022 08:47 AM

You are so so welcome 

0 Helpful
Customers Also Viewed These Support Documents