Cisco Anyconnect: Client connected, will not pass traffic

HighwayC0 · ‎09-17-2015

We have an issue where some of our clients cannot access network resources (i.e. network drives, applications) while connected to the AnyConnect client.

This issue occurs randomly depending on the clients location but predominately at hotels (Marriott, Fairmont, Sheraton) My impression is that the hotel is filtering or blocking the VPN traffic but not the initial connection attempt...

Has anyone seen or experienced a similar issue?

We are using an ASA 5525-X with AnyConnect Secure Mobility Client version 3.1.05187

Is there anything that can be done on our end to make the VPN client more “friendly” / useable when our associates are using hotel Wi-Fi?

Many thanks in advance for your insight and assistance

srihari4cisco · ‎09-18-2015

Hello HighwayC0,

Could you please tell me which protocol did you enable for anyconnect VPN ?

I have seen similar issues with IKEv2 implementations, where in certain public places like hotels block ESP packets. This is technically due to the fact that most of the hotels infrastructure firewalls do not support ESP packet inspection , which eventually block ESP packets and seizes the data connectivity. Even though the anyconnect VPN connects fine, data connectivity will still have issues.

One way to mitigate this is to enable nat traversal in Anyconnect Firewall as shown below. But there is a fair chance that the hotels block UDP 4500 traffic.

crypto isakmp nat-traversal

The only permanent fix for such issues is to shift the anyconnect solution from IKEv2 to SSL , but this again depends on an organization's security policies.

Cheers,

Sri