06-07-2017 05:42 AM
HI all,
I am having some difficulties when I am on my SSL VPN to connect to to one of my servers/PC's using RDP
VPN seems to be working ok I can get to the switch that the server sits on but not the server itself
I have attached a packet trace and the vpn config from the device.
I appreciate any hints/help on this issue.
Thank you
Solved! Go to Solution.
06-07-2017 09:46 AM
Oh sorry - I misread that. Yes the ASA will insert a static /32 host route for any connected VPN client.
I do see you are learing 10.250.0.0 /29 via OSPF. So routing is OK from the ASA. does the internal switch get a default route from the ASA or have one statically configured? I would think it should since you have
default-information originate
...on the ASA.
When you try to reach your server, do you see traffic reaching it (Wireshark or perhaps tcpview or even netstat might show you)? Do you see it leaving the ASA (packet capture would show it)?
06-07-2017 06:31 AM
Is OSPF on the ASA learning a route to the destination subnet? It's not a connected subnet so you must either learn the route from OSPF that you have running or else the ASA will try to use the default route (i.e. back outside).
Also, when you do packet-tracer with VPN pool addresses make sure you choose an address that's not currently in use. Otherwise it will always show "fail".
06-07-2017 08:17 AM
Hi Marvin,
Thanks for your reply. It does not look like that the ASA is learning the VPN route via OSPF
here is my sh route output from the ASA
ASA1# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 75.132.0.1 to network 0.0.0.0
O 10.250.0.64 255.255.255.248 [110/11] via 10.251.0.10, 908:19:12, AV_P2P
O 10.250.0.72 255.255.255.248
[110/11] via 10.251.0.14, 908:19:12, Work_LAN_P2P
O 10.250.0.32 255.255.255.224 [110/11] via 10.251.0.6, 908:19:12, WiFi_P2P
O 10.250.0.0 255.255.255.224 [110/11] via 10.251.0.2, 908:19:12, LAN_P2P
C 10.251.0.0 255.255.255.252 is directly connected, LAN_P2P
S 10.252.0.2 255.255.255.255 [1/0] via 2.2.2.1, outside
C 10.251.0.4 255.255.255.252 is directly connected, WiFi_P2P
C 10.251.0.8 255.255.255.252 is directly connected, AV_P2P
C 10.251.0.12 255.255.255.252 is directly connected, Work_LAN_P2P
C 192.168.252.0 255.255.255.240 is directly connected, Guest-WiFi
C 1.1.0.0 255.255.224.0 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.1, outside
06-07-2017 08:20 AM
That will definitely casue the access to fail.
You probably need to advertise the route from your downstream neighbor. Otherwise put a static route in the ASA to test it.
06-07-2017 08:36 AM
So from my switch that is downstream (also directly connected to the ASA) under OSPF I do advertise 10.252.0.0/29 but the ASA does not see it via OSPF. Instead I see it on the ASA as Static
S 10.252.0.2 255.255.255.255 [1/0] via 1.1.1.1, outside
06-07-2017 09:46 AM
Oh sorry - I misread that. Yes the ASA will insert a static /32 host route for any connected VPN client.
I do see you are learing 10.250.0.0 /29 via OSPF. So routing is OK from the ASA. does the internal switch get a default route from the ASA or have one statically configured? I would think it should since you have
default-information originate
...on the ASA.
When you try to reach your server, do you see traffic reaching it (Wireshark or perhaps tcpview or even netstat might show you)? Do you see it leaving the ASA (packet capture would show it)?
06-07-2017 11:43 AM
Yes, the switch does get the default route in OSPF from the ASA. I went and rebooted the server and guess what happened? I was able to get to it from VPN. There was a problem on the Server. After running Wireshark I was seeing RDP traffic leave the ASA but never making it to the server
06-07-2017 08:04 PM
Great - thanks for the update and for rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide