Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
888
Views
0
Helpful
1
Replies

problems accessing internet anyconnect VPN

djxtcsthlm77
Level 1
Level 1

‎05-19-2013 09:07 PM - edited ‎02-21-2020 06:54 PM

i have a ASA 5505.

when clients connect using anyconnect VPN they loose connection to the internet. DNS resolve seems fine.

In the log of the ASA i receive these errors:

Group <GroupPolicy_VPN> User <administrator> IP <PUBLIC IP ADDRESS> Transmitting large packet 1250 (threshold 1206).

Anyone have any ideas?

My config looks like this:

ciscoasa(config)# show run

: Saved

:

ASA Version 8.4(4)1

!

hostname ciscoasa

enable password XYZ

passwd XYZ encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup inside

dns domain-lookup outside

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.1.192_27

subnet 192.168.1.192 255.255.255.224

object network FC_SERVER

host 192.168.1.5

description SERVER

object service tcp_3389

service tcp source eq 3389

object network inside-network

object-group service RDP tcp

port-object eq 3389

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list outside_access_in extended permit tcp object CM_NET host 192.168.1.5 eq 3389

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_DHCP_POOL 192.168.1.201-192.168.1.210 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static FC_SERVER interface service tcp_3389 tcp_3389

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.192_27 NETWORK_OBJ_192.168.1.192_27

no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol nt

aaa-server AD (inside) host 192.168.1.5

nt-auth-domain-controller FC

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 59875751

      REMOVED INFO....

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"

anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2 regex "Linux"

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"

anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_VPN internal

group-policy GroupPolicy_VPN attributes

wins-server value 192.168.1.5

dns-server value 192.168.1.5

vpn-tunnel-protocol ikev2 ssl-client

default-domain value domain.com

webvpn

  anyconnect profiles value VPN_client_profile type user

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPN_DHCP_POOL

authentication-server-group AD

default-group-policy GroupPolicy_VPN

tunnel-group VPN webvpn-attributes

group-alias VPN enable

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:17272ccf5f8b7aa72a9e7cbd19fea37c

: end

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎05-20-2013 04:31 AM

For the Remote Access VPN user to get to the Internet the ASA must forward the packet back out the interface on which it was received. This is sometimes referred to as hairpinning and the ASA does not permit this by default. There is a command for same security level traffic which will allow this. Try using that command and let us know if the behavior changes.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents