Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
5
Helpful
7
Replies

Having issues connecting to PC on internal network from SSL VPN

Go to solution
Zipp Duda
Level 1
Level 1

‎06-07-2017 05:42 AM

HI all,

I am having some difficulties when I am on my SSL VPN to connect to to one of my servers/PC's using RDP
VPN seems to be working ok I can get to the switch that the server sits on but not the server itself

I have attached a packet trace and the vpn config from the device. 

I appreciate any hints/help on this issue. 

Thank you 

Labels:
Preview file
16 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Zipp Duda

‎06-07-2017 09:46 AM

Oh sorry - I misread that. Yes the ASA will insert a static /32 host route for any connected VPN client.

I do see you are learing 10.250.0.0 /29 via OSPF. So routing is OK  from the ASA. does the internal switch get a default route from the ASA or have one statically configured? I would think it should since you have

default-information originate

...on the ASA.

When you try to reach your server, do you see traffic reaching it (Wireshark or perhaps tcpview or even netstat might show you)? Do you see it leaving the ASA (packet capture would show it)?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-07-2017 06:31 AM

Is OSPF on the ASA learning a route to the destination subnet? It's not a connected subnet so you must either learn the route from OSPF that you have running or else the ASA will try to use the default route (i.e. back outside).

Also, when you do packet-tracer with VPN pool addresses make sure you choose an address that's not currently in use. Otherwise it will always show "fail". 

0 Helpful

Go to solution
Zipp Duda
Level 1
Level 1
In response to Marvin Rhoads

‎06-07-2017 08:17 AM

Hi Marvin,

Thanks for your reply. It does not look like that the ASA is learning the VPN route via OSPF 

here is my sh route output from the ASA

ASA1# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 75.132.0.1 to network 0.0.0.0

O 10.250.0.64 255.255.255.248 [110/11] via 10.251.0.10, 908:19:12, AV_P2P
O 10.250.0.72 255.255.255.248
[110/11] via 10.251.0.14, 908:19:12, Work_LAN_P2P
O 10.250.0.32 255.255.255.224 [110/11] via 10.251.0.6, 908:19:12, WiFi_P2P
O 10.250.0.0 255.255.255.224 [110/11] via 10.251.0.2, 908:19:12, LAN_P2P
C 10.251.0.0 255.255.255.252 is directly connected, LAN_P2P
S 10.252.0.2 255.255.255.255 [1/0] via 2.2.2.1, outside
C 10.251.0.4 255.255.255.252 is directly connected, WiFi_P2P
C 10.251.0.8 255.255.255.252 is directly connected, AV_P2P
C 10.251.0.12 255.255.255.252 is directly connected, Work_LAN_P2P
C 192.168.252.0 255.255.255.240 is directly connected, Guest-WiFi
C 1.1.0.0 255.255.224.0 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Zipp Duda

‎06-07-2017 08:20 AM

That will definitely casue the access to fail.

You probably need to advertise the route from your downstream neighbor. Otherwise put a static route in the ASA to test it.

0 Helpful

Go to solution
Zipp Duda
Level 1
Level 1
In response to Marvin Rhoads

‎06-07-2017 08:36 AM

So from my switch that is downstream (also directly connected to the ASA) under OSPF I do advertise 10.252.0.0/29 but the ASA does not see it via OSPF. Instead I see it on the ASA as Static

S    10.252.0.2 255.255.255.255 [1/0] via 1.1.1.1, outside 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Zipp Duda

‎06-07-2017 09:46 AM

Oh sorry - I misread that. Yes the ASA will insert a static /32 host route for any connected VPN client.

I do see you are learing 10.250.0.0 /29 via OSPF. So routing is OK  from the ASA. does the internal switch get a default route from the ASA or have one statically configured? I would think it should since you have

default-information originate

...on the ASA.

When you try to reach your server, do you see traffic reaching it (Wireshark or perhaps tcpview or even netstat might show you)? Do you see it leaving the ASA (packet capture would show it)?

0 Helpful

Go to solution
Zipp Duda
Level 1
Level 1
In response to Marvin Rhoads

‎06-07-2017 11:43 AM

Yes, the switch does get the default route in OSPF from the ASA. I went and rebooted the server and guess what happened? I was able to get to it from VPN. There was a problem on the Server. After running Wireshark I was seeing RDP traffic leave the ASA but never making it to the server 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Zipp Duda

‎06-07-2017 08:04 PM

Great - thanks for the update and for rating.

Customers Also Viewed These Support Documents