cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
291
Views
1
Helpful
3
Replies

Cisco VPN Issue

cruseb1
Level 1
Level 1

I am having an issue with getting to anyconnect to login. When I attempt the login I get a timeout and the syslog shows the following:

%ASA-6-110003: Routing failed to locate next-hop for protocol from src interface:src IP/src port to dest interface:dest IP/dest port

 

 

My config is below ( I have scrubbed it as well )

ASA Version 9.16(4)18
!
hostname MY-ASA
domain-name my.local
enable password *****
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
names
no mac-address auto
ip local pool VPN_POOL 172.39.0.1-172.39.0.220 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 12.12.12.61 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.0.1 255.240.0.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.0.4 inside
name-server 10.0.0.20 inside
name-server 10.0.0.9 inside
name-server 8.8.8.8 outside
name-server 75.75.75.75 outside
domain-name my.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN_Network
subnet 172.39.0.0 255.255.255.0
object network Inside_Network
subnet 10.0.0.0 255.240.0.0
object network VPN_Network-254
subnet 172.29.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7181-152.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static VPN_Network VPN_Network no-proxy-arp route-lookup
nat (outside,inside) source static VPN_Network VPN_Network destination static Inside_Network Inside_Network no-proxy-arp route-lookup
nat (inside,outside) source static Inside_Network Inside_Network destination static VPN_Network VPN_Network no-proxy-arp route-lookup
!
nat (outside,outside) after-auto source dynamic any interface
route inside 0.0.0.0 0.0.0.0 12.12.12.62 1
route inside 172.29.0.0 255.255.255.0 10.0.0.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 172.29.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=MY-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 672b8faf
066782f1 be310701 cc8f7a78 8523e9f9 9353
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 255.255.255.255 inside
ssh 172.29.0.0 255.255.255.0 inside
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.9.06037-webdeploy-k9.pkg 1
anyconnect profiles ANYCONNECT_client_profile disk0:/ANYCONNECT_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_ANYCONNECT internal
group-policy GroupPolicy_ANYCONNECT attributes
wins-server value 10.0.0.4
dns-server value 10.0.0.4 10.0.0.20
vpn-tunnel-protocol ikev2 ssl-client
default-domain value LEONET.local
webvpn
anyconnect profiles value ANYCONNECT_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username cruseb1 password ***** privilege 15
tunnel-group ANYCONNECT type remote-access
tunnel-group ANYCONNECT general-attributes
address-pool VPN_POOL
default-group-policy GroupPolicy_ANYCONNECT
tunnel-group ANYCONNECT webvpn-attributes
group-alias ANYCONNECT enable
!
!
prompt hostname context
!
jumbo-frame reservation
!
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

: end

1 Accepted Solution

Accepted Solutions

webvpn
enable outside <<- you enable webvpn outside abd you have defualt route to inside ??

MHM

View solution in original post

3 Replies 3

cruseb1
Level 1
Level 1

I factory reset it and built a very basic config. 

webvpn
enable outside <<- you enable webvpn outside abd you have defualt route to inside ??

MHM

Thank you, I completely missed that!! that solved the issue!!