Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9963
Views
4
Helpful
8
Replies

Cannot ping from Anyconnect client IP toward LAN

Go to solution
Florin Barhala
Level 6
Level 6

‎02-22-2016 02:07 PM - edited ‎02-21-2020 08:41 PM

Hi guys,

I have an old ASA5520 running 9.1(6)8 where I have setup Anyconnect SSL split tunneling access:

show run group-policy
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless

group-policy lanwan-gp internal
group-policy lanwan-gp attributes
wins-server none
dns-server none
vpn-simultaneous-logins 1
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value lanwan-acl
default-domain none
webvpn
anyconnect profiles value lanwan-profile type user

access-list lanwan-acl line 1 standard permit 172.16.0.0 255.254.0.0 (hitcnt=48) 0xb5bbee32 

Now I can ping, RDP, etc from any VPN connected host to any destination within 172.16.0.0 255.254.0.0 range. 

Here's my routing info:

show run route
route outside 0.0.0.0 0.0.0.0 69.77.43.1 1
route inside 172.16.0.0 255.254.0.0 172.25.8.1 1

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.25.8.4 255.255.254.0

But I can't ping to any connected Anyconnect VPN client from my LAN. 

show run ip local pool

ip local pool lanwan-pool 172.25.9.8-172.25.9.15 mask 255.255.254.0

Here's traceroute from LAN:

C:\Users\Florin>tracert -d 172.25.9.10

Tracing route to 172.25.9.10 over a maximum of 30 hops

1 1 ms <1 ms 1 ms 172.17.35.1
2 <1 ms * <1 ms 172.25.8.4
3 * * * Request timed out.
4 * * * Request timed out.

while ASA routing table has the right info:

show route | i 69.77.43.1

S    172.25.9.10 255.255.255.255 [1/0] via 69.77.43.1, outside

Other things to mention:

 - there's no other FW between LAN and this ASA

 - there's no FW or NAT configured or enabled on this ASA (show run nat and show run access-group both return blank).

 - Windows FW on the Anyconnect workstation is disabled (service is running). I also tested and able to ping my Anyconnect home workstation from another device on the same network.

So I am left with two questions:

1. First one I don't fully understand: after reading some threads here I added this line access-list lanwan-acl standard permit 69.77.43.0 255.255.255.0 

 ping and tracert commands output stays the same but now I can RDP from the VPN connected home station to any LAN workstation; 

 What's happening here?

2. How can I make ICMP work after all? I also tried fixup protocol icmp and fixup protocol icmp error, still no luck

Thanks in advance,

Florin.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rohan Padwal
Level 1
Level 1
In response to Florin Barhala

‎02-27-2016 11:59 AM

Hi Florin,

All  the output is pretty clear to me

from the debug you can see the traffic is making up to the ASA

"ICMP echo request from inside:172.17.35.71 to outside:172.25.9.9 ID=22 seq=14024 len=32"

 the ASA might be forwarding it out or might be dropping it for some unknow reasons

can you have a wireshark capture on the vpn client to see if the icmp request is reaching the client ? just want to isolate the issue to fw so that we can focus on ASA rather than silly windows fw ;)

does the RDP to VPN client work for you from inside LAN? 

run logging on ASA and then ping from inside to VPN client and check logs on the firewall,if ASA drops the pkt it will show up in the log.

loggon en
logging buffered debugging

#sh logging buffere | in icmp

#Rohan

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Aditya Ganjoo
Level 9
Level 9

‎02-23-2016 07:44 AM

Hi Florin,

Are you using any NAT statements for this traffic ?

Can you share the same ?

Also when you ping the Anyconnect clients from the LAN do you see the requests hitting the ASA ?

Regards,

Aditya

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Aditya Ganjoo

‎02-24-2016 06:33 AM

As mentioned both show nat or show run nat show blank.

A capture on the ASA inside interface gets the ICMP requests from the VPN connected host towards lan.

0 Helpful

Go to solution
Rohan Padwal
Level 1
Level 1
In response to Florin Barhala

‎02-26-2016 05:16 AM

hello

Do you have reverse route for  172.25.9.15 mask 255.255.254.0 (client pool network)

on the inside network device   ??? this route should point to the inside interface of the ASA.

share the packet tracer output from ASA

packet tracer input inside icmp 172.25.8.10 8 0  172.25.9.15 detail

share the trace from inside router to the 172.25.9.15 (from internal lan)

#Rohan

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Rohan Padwal

‎02-27-2016 09:15 AM

When Anyconnect client is connected a route shows up:

show route outside

S    172.25.9.9 255.255.255.255 [1/0] via 69.77.43.1, outside

and obviously the connected route

C    172.25.8.0 255.255.254.0 is directly connected, inside

Now I ran a trace from my LAN laptop to the Anyconnect IP 

packet-tracer input inside icmp 172.17.35.71 8 0 172.25.9.9 detailed (attached)

And let's review once more the packet path:

C:\Users\Florin>tracert -d 172.25.9.10

Tracing route to 172.25.9.10 over a maximum of 30 hops

1 1 ms <1 ms 1 ms 172.17.35.1
2 <1 ms * <1 ms 172.25.8.4
3 * * * Request timed out.
4 * * * Request timed out.

Preview file
6 KB
0 Helpful

Go to solution
Rohan Padwal
Level 1
Level 1
In response to Florin Barhala

‎02-27-2016 10:08 AM

pkt flow on the ASA looks good and reverse traffic seems to be coming to the ASA 

can you confirm this by debugging the icmp request and reply on the ASA

run "debug icmp trace"

ping from the connected VPN client to the destination internal lan and share the output

we need to check if the internal device is responding and if the pkt makes back to the ASA.

share the output of below commands

sh run policy-map

sh service-policy

sh run all sysopt

#Rohan

Go to solution
Florin Barhala
Level 6
Level 6
In response to Rohan Padwal

‎02-27-2016 11:35 AM

Hello Rohan,

Thanks for following this closely. 

I've put all output into a new attachment so we keep the thread small.

Preview file
4 KB
0 Helpful

Go to solution
Rohan Padwal
Level 1
Level 1
In response to Florin Barhala

‎02-27-2016 11:59 AM

Hi Florin,

All  the output is pretty clear to me

from the debug you can see the traffic is making up to the ASA

"ICMP echo request from inside:172.17.35.71 to outside:172.25.9.9 ID=22 seq=14024 len=32"

 the ASA might be forwarding it out or might be dropping it for some unknow reasons

can you have a wireshark capture on the vpn client to see if the icmp request is reaching the client ? just want to isolate the issue to fw so that we can focus on ASA rather than silly windows fw ;)

does the RDP to VPN client work for you from inside LAN? 

run logging on ASA and then ping from inside to VPN client and check logs on the firewall,if ASA drops the pkt it will show up in the log.

loggon en
logging buffered debugging

#sh logging buffere | in icmp

#Rohan

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to Rohan Padwal

‎02-27-2016 08:44 PM

Wireshark capture looks pretty much as packet tracer capture, I mean the icmp echo request from LAN reaches the Anyconnect client and then it's being dropped by the Windows Firewall for what I care.

RDP worked fine, though. Laptop uptime was close to 3 weeks, so I reboot it.

I checked again the FW after reboot was off, but when doing the tests what do you know: ICMP from LAN to the client works too.

Thanks for the support Rohan!

Preview file
33 KB
0 Helpful
Customers Also Viewed These Support Documents