Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1020
Views
0
Helpful
3
Replies

Cisco ASA 5520: AnyConnect VPN users cannot connect to remote site

Adam Hudson
Level 1
Level 1

‎08-22-2016 10:19 AM - edited ‎02-21-2020 08:56 PM

I recently switch from Site to Site EZVPN connection to a fiber connection for my remote site back to the home network and had some issues getting the route learned through EIGRP instead of that EZVPN site to site.

Now that's all working, but now when users on our AnyConnect VPN try to access machines on that remote network they can't. When I connect to the vpn then try to ping the remote network, pings drop. When I traceroute it traces out to the internet like it doesn't recognize the route.

Packet tracer doesn't help because both ways I put the addresses in it says ALLOW. packet-tracer input inside icmp <VPN address> 8 0 <remote network switch address> and packet-tracer input inside icmp <remote network switch address> 8 0 <VPN address>. I even tried it using DMZ (since our VPN is in our DMZ) as the source and I still get allow both ways.

The main firewall is learning the route correctly as far as I can see: Firewall# sh eigrp topology | inc <remote network>
P <remote network> 255.255.255.0, 1 successors, FD is 3584
.

I'm not sure why it's not pinging out right. Any help is appreciated.

Labels:
0 Helpful
3 Replies 3

Adam Hudson
Level 1
Level 1

‎08-22-2016 12:29 PM

If I run a sh ip route on the remote site's switch I can see my computer on VPN's IP address. But I can't ping it. And when I try to run a traceroute it hits my home location's switch but then stops there.

0 Helpful

Adam Hudson
Level 1
Level 1
In response to Adam Hudson

‎08-22-2016 01:51 PM

Testing from another remote site that's been connected for a while, I can't ping back to a VPN address either but everything else works fine. I'm trying to devise a test to help me nail down what the issue is, i.e. use packet tracer with port 3389 since RDP seems to be the thing VPN from one remote site can do and the other can't. But packet tracer has been pretty useless on this front.

0 Helpful

Adam Hudson
Level 1
Level 1
In response to Adam Hudson

‎08-23-2016 01:56 PM

Found the solution, shows how long since I've had to deal with the AnyConnect VPN. I had to add the remote site back into my split tunnel acl.

0 Helpful
Customers Also Viewed These Support Documents