Cisco Anyconnect is well connected but cannot access company's mail

dschoi · ‎12-15-2018

Hi all, I am struggling with this trouble for a week but couldn't find any solution.

- Our company is using our own email server(http://gw.----.com) that can be only loaded from our work place. We are using VPN(Cisco Anyconnect) to use email server when we are not in the office. No one in my office, except for me, is having trouble with accessing email using VPN. We used same software, same wi-fi and same OTP device but only my computer can't access the email.

- Our company doesn't have IT department and no one has any idea how ASA configuratoin was set up. we don't even have our admin account which doesn't make sense to me. No one know about CISCO :(

- Once I connect VPN using OTP device, there is no error. Internet works fine and CISCO Anyconnect setting is same as other colleagues' laptop (IP, DNS etc.) However I can't access our email domain which is the whole reason why I am using VPN.. Google chrome, IE, Firefox and Edge are saying "ERR_CONNECTION_TIMED_OUT" as if I haven't used VPN. I tried this to desktop in my home but same issue.

- I am using Cisco Anyconnect Secure Mobility Client 4.2.01035 in Windows 10. I have tried with different version of software and other computer.

Please reply. Any assumption is fine.

Thank you for your time consideration.

Kasun Bandara · ‎12-15-2018

HI,
1- Try to ping mail server
2 - if ping fails - issue is with connectivity and VPN routing. check VPN routing table inside VPN client info
try traceroute to find dropping point to get idea about network issue
if ping success - DNS can be a issue. check for correct dns setting in vpn network interface

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

dschoi · ‎12-15-2018

Hi Kausn, thank you for reply,

Ping successes. it successes when VPN is off.
seems like DNS setting is correct. I copied my colleague's setting.

Kasun Bandara · ‎12-15-2018

is it pinging when VPN is ON?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

dschoi · ‎12-17-2018

Yes it pings fine when VPN is on.

Roy Harrington · ‎12-17-2018

-When you ping the mail server are you resolving the FQDN to an IP or are you pinging the IP directly?

-You would benefit from doing a packet capture on the ASA as well to see if traffic is being received back from the mail server or if the ASA/mail server is blocking the ports.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

-You can test the same by telneting to the mail server ports to see if they are open "telnet x.x.x.x portnumber" you should see it say "connected to".

-Have you tried walking into the office and plugging into the LAN to see if you can get on your mail?Can other people reach email when on VPN?

dschoi · ‎12-18-2018

Thank you for the reply, Roy.

- I just pinged it from Windows cmd. It's probably pinging the IP directly.
- Can I check up with ASA even if I am not an admin?
- Other people can reach email using VPN with any wi-fi. Also, when I am in the office with LAN, mail is reachable as well.

-I found some weird thing. When I am using VPN, our network share folder is working properly which is not supposed work without LAN. I guess this is saying VPN is working well.
-I have check with my colleague that DNS and IP setting are matching correctly. It only happens to me.. I there any possibility of problem of mail server or my laptop's firewall setting?

Thanks.

Roy Harrington · ‎12-18-2018

If you do not have an admin and nobody knows how to get onto the asa you can do a password recovery. I would caution doing this if you are not familiar with backup and recovery procedures.Before doing the password recover I would suggest making a backup of configurations on the device and placing them on an external drive in the event a mistake is made. You can follow the password recover procedure here:

https://community.cisco.com/t5/security-documents/asa-password-recovery/ta-p/3126046

When on anyconnect you will have access to anything that is on lan as long as its configured for access on the destination device as well as the ASA. So you should be able to reach you network share, however that's odd that you can still ping your mail server but cant accesses it even though the network share is accessible.

Without doing a packet tracer on the asa or a wire shark capture on the mail server i couldn't really tell you yet if its a problem with the mail server,asa or your computer.

Depending on how your asa and anyconnect is setup you might be able to install anyconnect on another computer and test if its your computer.DNS and IP settings are pushed by the ASA headend so if you are connecting to the asa you will have the same settings as your peers just a different ip address.

Please let me know what you have under your secure/nonsecure routes, these are the subnets that are going over your vpn tunnel.you can find this under settings when you right click anyconnect icon in lower right hand of windows.

Also what is the ip address is that you are pinging for your mail server.All of these addresses should be private ip addresses and you can share these if they are in this range:

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255

Do not share this information the ip address is out of these ranges

also under the preferences tab under client ipv4 address , dns, and tunnel mode ipv4 what do you have

CesarLopez · ‎09-14-2020

I had the same problem with a few remote laptops. My solution was to reconfigure the Wifi Connection to only use IPV4 and bingo! IPV6 was never configured in these old routers and new Windows automatically starts IPV6 creating a routing issue.

I hope this answer helps others - I spend a few hours looking for a solution - Updates reinstalls. etc.

Cesar Lopez

Best Networks Inc.