ASA webvpn tunnelall hairpin not routing internet traffic

Bruce Reed · ‎08-27-2012

I have a working "tunnelall" group policy for anyconnect vpn working on my production ASA just fine. I'm working on new policy on a lab ASA connected to a different public net. That's working fine for the most part (implementing DAP is the goal,) but I've tried to set up another tunnelall hairpin on this ASA and no matter what I try I can't get it working. I can see the 0.0.0.0 route set in the anyconnect client, but the traffic goes nowhere. Here's the relevant code:

interface Ethernet0/0

nameif outside

security-level 0

ip address 173.xx.yy.61 255.255.255.240

same-security-traffic permit intra-interface

ip local pool TestVPN 192.168.102.240-192.168.102.254 mask 255.255.255.0

global (outside) 1 interface

nat (outside) 1 192.168.102.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 173.xx.yy.62 1

route outside 192.168.102.0 255.255.255.0 173.xx.yy.62 1

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2 regex "Intel Mac OS X"

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3 regex "Linux"

svc image disk0:/anyconnect-linux-64-2.5.2014-k9.pkg 4 regex "Linux"

svc enable

group-policy TunnelAll internal

group-policy TunnelAll attributes

dns-server value 10.1.5.10

vpn-tunnel-protocol svc

split-tunnel-policy tunnelall

default-domain value xxx.yyy

address-pools value TestVPN

group-policy DfltGrpPolicy attributes

dns-server value 10.1.5.10

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_access_SPLIT

default-domain value xxx.yyy

address-pools value TestVPN

I've eliminated the inside related code as that is all working fine. I can reach hosts on my 10 network with no issue. Shouldn't the ASA simply nat and turn the inbound vpn packets around for internet destinations?

Jennifer Halim · ‎08-27-2012

Config looks fine to me.

Are you able to ping the internet? 4.2.2.2?

Or only dns resolution doesn't work?

Bruce Reed · ‎08-27-2012

No, I can't reach any hosts beyond my internal nets.. DNS is fine since an internal resolver is used. Tcpdump confirms all traffic is targeting the tunnel.

Jennifer Halim · ‎08-28-2012

After you are connected to the VPN, pls check which tunnel-group and group-policy you are connected to.

Bruce Reed · ‎08-28-2012

Yes, I've checked this and it is using the TunnelAll group policy. I can flip this on or off using an LDAP attribute map for "member-of" an AD group. That is working properly and if they are not in the group they get the default policy.

Karsten Iwen · ‎08-27-2012

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_access_SPLIT

Have you tried using "split-tunnel-policy tunnelall"? With your config you tell your ASA to only send the specified traffic through the tunnel. What's in the VPN_access_SPLIT-ACL? If its an "any" it probably should work. But it's not very elegant to configure it that way.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Bruce Reed · ‎08-28-2012

Actually you are looking at the default policy, which is not used in this case. Above that you'll see the TunnelAllpolicy that is used in this case based on the user being a member of an AD group (attribute-map) and I've verified when this occurs it is applying the TunnelAll policy. If I pull the user out of the AD group the default policy is applied, the split tunnel is in effect and local routing is used for internet.

Karsten Iwen · ‎08-28-2012

Actually you are looking at the default policy, which is not used in this case

now I see it. It's hard to read without any indentation ...

Have you controlled the routing-table of the client if that reflects the settings from the AnyConnect-Client?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Bruce Reed · ‎08-28-2012

Sorry for the lack on indentation. . .

No, I haven't done any routing adjustments on the client. Anyconnect creates a low metric 0.0.0.0 route on the virual interface.

Karsten Iwen · ‎08-28-2012

No, I haven't done any routing adjustments on the client. Anyconnect creates a low metric 0.0.0.0 route on the virual interface

That's what I mean, is that routing-adjustment by AnyConnect really in place when your client connects?

Bruce Reed · ‎08-28-2012

I assume it is, since the windows routing table indicates it is:

===========================================================================

Interface List

19...00 05 9a 3c 7a 00 ......Cisco AnyConnect VPN Virtual Miniport Adapter for

Windows

17...68 a3 c4 4a 59 ff ......Bluetooth Device (Personal Area Network)

14...a0 88 b4 48 8d 10 ......Intel(R) Centrino(R) Advanced-N 6205

12...5c 26 0a 58 1a 7f ......Intel(R) 82579LM Gigabit Network Connection

1...........................Software Loopback Interface 1

13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

11...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter

15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.8.5.2 10.8.5.49 25

0.0.0.0 0.0.0.0 192.168.102.1 192.168.102.240 2

.

Note also that I've tested from two different Mac's running the same version of AnyConnect and I fail in the same way. Routing table looks good there too.

Karsten Iwen · ‎08-28-2012

Ok, then to the next test: When you send a massive amount of pings to the internet, which counter increase in the AnyConnect Statistics? Do any counters increase on the ASA?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Bruce Reed · ‎08-28-2012

Okay, you're on to something now. I pinged the internet with 1K packets and could see the anyconnect sent byte count increasing in 1K clicks, while the ASA bit rate and input bytes counts on outside almost remained flat. I then pinged an internal host with the same size packet and could see the ASA bitrate and input packet count increasing as I would have expected.

So it seems that while anyconnect shows a secured route of 0.0.0.0/0.0.0.0 it's not forwarding the internet traffic across the vpn interface? This is happening on three different clients, one windows and two macs.

r5a5m5 · ‎08-28-2012

Please try "same-security-traffic permit intra-interface" in ASA...

"A good rating is as good or even better than a thank you, remember to rate the helpful posts "

r5a5m5 · ‎08-28-2012

Sorry try "same-security-traffic permit inter-interface" in ASA..

"A good rating is as good or even better than a thank you, remember to rate the helpful posts "