Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
682
Views
0
Helpful
4
Replies

Issue with Remote Access VPN and Site to Site VPN

Dipesh Patel
Level 2
Level 2

‎04-02-2011 06:35 AM - edited ‎02-21-2020 05:15 PM

Dear Experts,

We have around 50 nos of Remote Access VPN profile and 8 - 10 nos of Site to Site VPN tunnel on ASA 5540 device. 2 ASA s are there.

Problem:

When we have created new Remote Access VPN profile using wizard whre on 1st screen tick mark is unchacked means disable the inbound ipsec sessions to bypass interface session.

The aim for the same is to allow specific Port no for specifit Servers.

Added ACL = access-list outside line 196 extended permit object-group TCPUDP any object-group INT-VPN eq 3602

But after configurating the same Our most of VPN profile and Site to Site VPN are affected.

During the problem, We can connect using Remote Access Profile but can not ping any of the servers which are allowed in that profile. Same case in Site to Site VPN tunnel where no ping was there betwen both side networks.

We have observed that in affected configuration :

1.  Many of ACL realted to Remote Access VPN  Profile are deleted itself.

2. Banner was laso deleted.

3. Added new cmd " no sysopt connection permit-vpn "

Can anybody sight in to this and tell what is the Root cause of this problem?

Thanks in advance.

Regards,

Labels:
0 Helpful
4 Replies 4

andamani
Cisco Employee
Cisco Employee

‎04-02-2011 06:56 AM

Hi,

Adding a new RA VPN tunnel will not affect any of other tunnels.

are you sure your config was saved everytime the changes were made. When was the last that the ASA was rebooted? i.e how long has it been up?you can check the same from the "sh ver" of the ASA.

Also i would suggest please check the nat exemption access-list for the interesting traffic of various tunnels as the tunnels are up but ping is not working.

Hope this helps.

regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

derobbacher
Level 1
Level 1
In response to andamani

‎05-02-2013 06:27 AM

Same problem here with our customer.

WLAN clients complain about VPN problems after we migrated from 1142 to the new 3600 series APs.

Have You already investigated deeper ? Is there a bug open with the new 3600 dealing with VPN problems?

0 Helpful

sokakkar
Cisco Employee
Cisco Employee

‎05-02-2013 12:18 PM

Hi Dipesh,

Seems problem is related to:

3. Added new cmd " no sysopt connection permit-vpn "

This is added because:

"When we have created new Remote Access VPN profile using wizard whre on  1st screen tick mark is unchacked means disable the inbound ipsec  sessions to bypass interface session."

"sysopt connection permit-vpn" bypassed outside interface access-list check for VPN traffic. And since that command has been removed now, all VPN traffic is subjected to be checked against inbound interface acl on outside. So, whatever traffic is allowed through it, will work and rest won't. Check this link to understand more about the command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364

Apply the command "sysopt connection permit-vpn" and see if that makes a difference.

-

Sourav

0 Helpful

sokakkar
Cisco Employee
Cisco Employee

‎05-02-2013 12:20 PM

Also, if you use ASDM to make changes, go to tools-->prefrences--> and check "preview commands before sending them to device".

In this way ASA will show you the commands it will execute on ASA once you hit apply before actually sending those.

0 Helpful
Customers Also Viewed These Support Documents