cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1921
Views
6
Helpful
41
Replies

Cisco FMC RA VPN Issue

Dipak Masurkar
Level 1
Level 1

Cisco FMC 1600 after configuring RA vpn not able to connect, but meanwhile trying S2S vpn it is working properly.

1: 13:20:11.748359 1.1.1.1.648 > 10.10.10.5.137: udp 50
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.10.5 using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559e326ae1fa flow (NA)/NA

41 Replies 41

 

Above is nat entry on edge router.

Site to Site vpn is working with this nat rule but not anyconnect

Do you have any access list applied to the router interfaces?

No.

DipakMasurkar_0-1687948951467.png

 

I know it working from Router' 

If you can not use PAT to NATing 4443 to 443 

Then 

Disable http in router 

Disable https in router 

Use public IP other than public IP you assign to router interface.

The issue is router assume this http is direct to it and drop packet.

Did you apply NAT exception for this traffic flow? could you please share your sanitized configs for review? also, take a look please at this post of mine where it shows all the steps you need to configure the RA VPN on FMC, you can ignore ISE steps if you don't use it:

https://bluenetsec.com/fmc-anyconnect-ssl-vpn/

 

Have checked this settings and its already configured in our setup.

Could you please share the sanitized output of the command "show asp socket table" on the firewall?

> show asp table socket


Protocol Socket State Local Address Foreign Address
SSL 00000518 LISTEN 10.10.10.5:443 0.0.0.0:*
DTLS 000402b8 LISTEN 10.10.10.5:443 0.0.0.0:*
>

Could you please share the command "telnet 10.10.10.5 443" from the router for review?

DipakMasurkar_0-1687949024893.png

Its working from router side.

There must be something on the router that is blocking this traffic, or, something on the ISP router that is blocking it. In this case I would try to reach out to the ISP to double check with them. Another thing you could do in this case to trying to check if the traffic destined to port 443 is hitting your router would be to configure an access list with a permit statment for the traffic destined to port 443 with log enabled, and another rule to permit anything else and then apply it in inbound on the router's external interface. Then try to initiate some traffic from the internet towards your public IP on port 443 and see if you see any logs or hits on the access list. If not, it must be then an issue on the ISP side.