Can't ping from LAN to PC connected through AnyConnect VPN profile

supportgns · ‎05-11-2021

Hi,

I'm currently having an issue with a VPN profile in our ASA 5545-X. We have several AnyConnect profiles in which machines are reachable from VPN to inside network and viceversa (ping from LAN to VPN-connected PCs works). However, there's a profile for most employees and machines are reachable from VPN to LAN, but it doesn't work in the other way around (ping from LAN-connected PCs to VPN-connected PCs has a timeout).

I've already checked NAT statements, ACLs and VPN filter but the issue still persists, and we need bidirectional connections between VPN and LAN because customer has a monitoring app that works through VPN and it has to be deployed and fully working ASAP.

What else could be happening? Have to mention that I also compared NAT statements and VPN filter with a VPN profile with a fully working bidirectional communication, and it seems to be configured OK.

balaji.bandi · ‎05-11-2021

when you try to ping, what you see in the ASDM real-time logs? did the ACL allow or denied?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎05-11-2021

@supportgns

Without seeing your configuration we can currently only assume your configuration is correct.

Run packet-tracer from inside IP address to a VPN client IP address, provide the output. This should confirm NAT and VPN filter is working or not working correctly.

Also double check that there isn't a Firewall client on the VPN client computers blocking the ping requests.

MHM Cisco World · ‎05-11-2021

I think the session is idle and remove for VPN PC can not ping from LAN PC, here the LAN PC send packet to ASA but the ASA don't have active SSL session to VPN PC and hence the ping is timeout.

need keep alive in VPN PC to make the season always alive for bidirectional connect.