Cisco FMC RA VPN Issue - Page 3

Dipak Masurkar · ‎06-26-2023

Cisco FMC 1600 after configuring RA vpn not able to connect, but meanwhile trying S2S vpn it is working properly.

1: 13:20:11.748359 1.1.1.1.648 > 10.10.10.5.137: udp 50
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.10.5 using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559e326ae1fa flow (NA)/NA

Dipak Masurkar · ‎06-27-2023

Above is nat entry on edge router.

Site to Site vpn is working with this nat rule but not anyconnect

Aref Alsouqi · ‎06-28-2023

Do you have any access list applied to the router interfaces?

Dipak Masurkar · ‎06-28-2023

No.

Dipak Masurkar · ‎06-28-2023

MHM Cisco World · ‎06-28-2023

I know it working from Router'

If you can not use PAT to NATing 4443 to 443

Then

Disable http in router

Disable https in router

Use public IP other than public IP you assign to router interface.

The issue is router assume this http is direct to it and drop packet.

Aref Alsouqi · ‎06-26-2023

Did you apply NAT exception for this traffic flow? could you please share your sanitized configs for review? also, take a look please at this post of mine where it shows all the steps you need to configure the RA VPN on FMC, you can ignore ISE steps if you don't use it:

https://bluenetsec.com/fmc-anyconnect-ssl-vpn/

Dipak Masurkar · ‎06-26-2023

Have checked this settings and its already configured in our setup.

Aref Alsouqi · ‎06-26-2023

Could you please share the sanitized output of the command "show asp socket table" on the firewall?

Dipak Masurkar · ‎06-26-2023

> show asp table socket

Protocol Socket State Local Address Foreign Address
SSL 00000518 LISTEN 10.10.10.5:443 0.0.0.0:*
DTLS 000402b8 LISTEN 10.10.10.5:443 0.0.0.0:*
>

Aref Alsouqi · ‎06-28-2023

Could you please share the command "telnet 10.10.10.5 443" from the router for review?

Dipak Masurkar · ‎06-28-2023

Its working from router side.

Aref Alsouqi · ‎06-28-2023

There must be something on the router that is blocking this traffic, or, something on the ISP router that is blocking it. In this case I would try to reach out to the ISP to double check with them. Another thing you could do in this case to trying to check if the traffic destined to port 443 is hitting your router would be to configure an access list with a permit statment for the traffic destined to port 443 with log enabled, and another rule to permit anything else and then apply it in inbound on the router's external interface. Then try to initiate some traffic from the internet towards your public IP on port 443 and see if you see any logs or hits on the access list. If not, it must be then an issue on the ISP side.