Solved: How to check if Address pool is used by vpn client

mahesh18 · ‎02-16-2014

Hi everyone,

i need to config anyconnect VPN on existing ASA which also has remote VPN client running.

Under ASDM when i click on address pools

i see there two address pools

Pooldefault which i can see is used by current remote vpn.

PoolX -- this subnet not assigned to the user right now.

Is there way that i can check if PoolX subnet is configured to assign IP to the remote VPN?

Regards

MAhesh

Jouni Forss · ‎02-16-2014

Hi,

On the CLI you could check the output of

show run group-policy

and

show run tunnel-group

to see if the PoolX is used anywhere in the VPN configurations.

Naturally you could also simply search the configuration and see if there is anything else but the actual PoolX configuration on the ASA.

show run | inc PoolX

This should probably only show the command "ip local pool" if the address pool has only been created but is not in use anywhere.

- Jouni

View solution in original post

Jouni Forss · ‎02-16-2014

Hi,

The above output seems to suggest that when you just looked for the references to the VPN Pool name "PoolX" that it found also a line "address-pool value PoolX"

So it seems that its in use somewhere.

To my understanding the above command should refer to some "group-policy" configuration.

Check the output of

show run group-policy

Again to see if its configured there.

- Jouni

View solution in original post

Jouni Forss · ‎02-16-2014

Hi,

On the CLI you could check the output of

show run group-policy

and

show run tunnel-group

to see if the PoolX is used anywhere in the VPN configurations.

Naturally you could also simply search the configuration and see if there is anything else but the actual PoolX configuration on the ASA.

show run | inc PoolX

This should probably only show the command "ip local pool" if the address pool has only been created but is not in use anywhere.

- Jouni

mahesh18 · ‎02-16-2014

Hi Jouni,

I ran the command sh run group-policy and tunnel-group it does not show PoolX.

when i run the command

sh run | inc PoolX

ip local pool PoolX 172.31.98.192-172.31.98.223 mask 255.255.255.0

address-pools value PoolX

As we do not see this address pool in the output of group-policy and tunnel-group so i can confirm it is not used by the

VPN client right?

Regards

Mahesh

Jouni Forss · ‎02-16-2014

Hi,

The above output seems to suggest that when you just looked for the references to the VPN Pool name "PoolX" that it found also a line "address-pool value PoolX"

So it seems that its in use somewhere.

To my understanding the above command should refer to some "group-policy" configuration.

Check the output of

show run group-policy

Again to see if its configured there.

- Jouni

mahesh18 · ‎02-16-2014

Hi Jouni,

i ran the commans group-policy

sh run group-policy

group-policy CSGroupPolicy internal
group-policy CSGroupPolicy attributes
wins-server none
dns-server value 192.168.50.6 192.168.50.7
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth enable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value corp.com
split-dns none
intercept-dhcp disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 15
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
vlan none
nac-settings none
address-pools value PoolX
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
homepage none
svc dtls enable
svc mtu 1406
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client 30
svc dpd-interval gateway 30
svc compression deflate
svc modules value vpngina
svc profiles none
svc ask none default webvpn
customization value DfltCustomization
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy DfltGrpPolicy attributes
banner value This Computer Resource is the property of xx Ltd. Authorized persons may use it for approved purposes only.
banner value This Computer Resource will be monitored, recorded and audited by XX to ensure compliance with XX Corporate, Information Security and Ethics Policies. The user has no right to, or expectation of, privacy in any personal or owned information, created, stored, transmitted or accessed on Computer Resources.
banner value LOGIN IS CONSENT TO THIS NOTICE
wins-server value 192.168.50.6 192.168.50.7
dns-server value 192.168.50.6 192.168.50.7
vpn-tunnel-protocol IPSec svc
ipsec-udp enable
default-domain value corp.com
user-authentication-idle-timeout 15
address-pools value PoolDefault

group-policy DCGroupPolicy internal
group-policy DCGroupPolicy attributes
wins-server value 192.168.50.6 192.168.50.7
dns-server value 192.168.50.6 192.168.50.7
dhcp-network-scope none
vpn-tunnel-protocol IPSec
default-domain value corp.com
address-pools value PoolDefault

so as per above output it shows that PoolX is used by group policy CS.

But when user connect via Remote VPN he does not use group policy CS.

So by this i can confirm that PoolX is not used by remote VPN user?

Regards

Mahesh

mahesh18 · ‎02-22-2014

Many thanks Jouni

Regards

MAhesh