Solved: Client VPN - to -office and then to AWS through site-to-site VPN not working

ramesh.8901 · ‎06-02-2017

Hi All,

This is something that has had me troubleshoot for a while, but i couldn't find an answer so got on here hoping to find some answers.

So my setup is like this:

Laptop Users --> Anyconnect VPN to ASA 5545 (office) --> site-to-site VPN to our Firepower Appliance on AWS

So users log into the network Remotely using Anyconnect and connect to the ASA in our Office. They get a range of IPs: 10.2.255.0/24

The users then need to access their applications on AWS. There's a site-to-site VPN setup between the office ASA and the Firepower device in AWS.

So it's basically a "hairpin" style configuration on the office ASA. Users in the office are able to comfortably access their applications in AWS by directly connecting via the site-to-site VPNs; however the Remote users are unable to.

A few things i've checked while troubleshooting:

a) The hairpin was setup on the outside interface (same security intra interface)

b) The interesting traffic has the source as 10.2.0.0/16 (LAN) and the destination as 10.128.0.0/23 (Firepower) on both sides. Hence the source for Remote users (10.1.255.0/24) would fall into this interesting traffic. (interesting traffic allows ALL traffic (ip) between these two destinations)

c) When i tried running a "sh crypto ipsec sa peer <Firepower IP> | be 10.128.0. i do not see any tunnel traffic (there's no output)

d) There's a NAT which has been setup - Identity NAT:

(outside) to (outside) source static VPN-CLIENT-NET VPN-CLIENT-NET destination static AWS-IE-MGMT_01 AWS-IE-MGMT_01 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

e) There's a route in place which to route to 10.128.0.0 pointing to the outside interface on which the site-to-site VPN (and also the Remote access VPN) has been setup to the Firepower

f) When i try doing a packet capture with type asp-drop, i do not see any drops related to 10.128.0.0.

g) I checked the logs for 10.128.0.0 and i do not see any logs for it.

h) Sysopt has been enabled for the outside interface and hence there are no relevant access-lists for the outside interface for this traffic.

i) No Filter list applied to the group policy through which users connect to the Anyconnect VPN

So i'm kind of lost and wondering what else to do/check. Any help would be appreciated.

Thanks!!!

JP Miranda Z · ‎06-02-2017

Hi ramesh.8901,

Let's try sharing your config (sanitized) so we can help you.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎06-02-2017

Hi ramesh.8901,

Let's try sharing your config (sanitized) so we can help you.

Hope this info helps!!

Rate if helps you!!

-JP-

ramesh.8901 · ‎06-09-2017

JP,

Thanks for the help. I figured out what the issue was. The split tunnel policy was not configured to secure the routes to 10.2.0.0/16.

tsusmelter · ‎04-22-2025

Hi, I inherited a headache from my predecessors and have little knowledge but learning as time goes, I am faced with rather a slimier issue, anyone care to help? I will very much appreciate it. I have clients who are not able to reach SAP application in AWS, All clients in HQ are able to access SAP. I am running on Cisco ASA ver 9.16, model 5516 at HQ and 5508 at 2 Remote offices connected via S2S VPN to HQ.

Site A. <-S2S VPN---> HQ <---S2S VPN-> Site B. Problem #1, Site B prematurely loses S2S connection after some time, but once the ASA is power cycled, access to S2S-VPN is restored, or once issuing: clear crypto isakmp sa/ clear crypto ipsec sa.

Problem #2-> RA VPN users are not able to reach SAP with BGP in AWS but local client in HQ have solid access.

I would like to enable RAVPN users to be able to access SAP application in AWS, I am totally lost at HQ, not knowing what to do next as the route table has been populated to include all interesting traffic locally and the two remote offices LAN.