Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30497
Views
46
Helpful
6
Replies

Remote access VPN is working, but packet-tracer is showing drop in webvpn-svc

Go to solution
XIE YAO
Level 1
Level 1

‎09-19-2013 07:18 PM - edited ‎02-21-2020 07:10 PM

Hi expert,

I recently noticed a strange thing that my anyconnect vpn is working but packet-tracer is always showing WEBVPN-SVC result is DROP.

If I change to another unused ip address in the VPN pool, then packet-tracer showing allowed, but in fact, the PC successfully connected is always able to reach the webserver.

//client successfully dial in VPN, obtain 3.3.3.1, packet-tracer using this IP shows:

ASA5510# packet-tracer input inside tcp 3.3.3.1 1025 1.1.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

//If I use another ip address in the VPN pool, (not assigned yet), then it showing allow.

PSS-ASA5510# packet-tracer input inside tcp 3.3.3.2 1025 1.1.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 30842, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

From VPN client PC, 1.1.1.1 port 80 is reachable, but I'm confused by the fact that packet-tracer is showing differently.

4 people had this problem
Labels:
15367749-ASA config.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Long
Level 1
Level 1

‎04-05-2017 07:08 AM

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer

Pete

View solution in original post

6 Replies 6

Go to solution
XIE YAO
Level 1
Level 1

‎09-22-2013 07:36 PM

anyone?

0 Helpful

Go to solution
Peter Long
Level 1
Level 1

‎04-05-2017 07:08 AM

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer

Pete

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Peter Long

‎04-05-2017 08:26 AM

Nice one Pete!

Old thread but still a worthwhile contribution.

Go to solution
tyoung008
Level 1
Level 1
In response to Peter Long

‎11-19-2019 01:52 PM

That is very cool.  However, if you have uRPF enabled on the outside interface, you get this error because the reverse-route isn't populated.

Result:
input-interface: Charter
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

This was on an FTD device managed from the FMC.  I removed uRPF, and packet-tracer worked as desired.  It is interesting that I got the same WEBVPN-SVC DROP from using an existing AnyConnect IP address on FTD.

 

FYI uRPF is located under Devices > Device Management > [device] > Interfaces > [interface] > Advanced > Security Configuration > Enable Anti Spoofing.

 

0 Helpful

Go to solution
Brad_Shawh
Level 1
Level 1
In response to Peter Long

‎03-31-2020 06:10 AM

Spoiler
 

Fantastic!!!!!!!!!!!!!!

0 Helpful

Go to solution
a365networking
Level 1
Level 1
In response to Peter Long

‎10-06-2022 09:37 AM

I got a similar issue where the traffic is not getting through and has the following error:

Phase: 9
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Elapsed time: 428 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x15044ce39c40, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=10464, user_data=0xf06a4000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.200.31.78, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GLP-Outside(vrfid:0), output_ifc=any

0 Helpful
Customers Also Viewed These Support Documents