Hi Aditya,

Thanks for the response, We've currently split-tunnel-policy tunnelall on. I understood split tunnel was about allowing clients to talk to a local internet connection outside of the VPN?

The vpn mode we're running is l2tp-ipsec, (we have to run in ipsec mode for compliance reasons) we've not got any NAT running on the VPN traffic right now. 

I'd also note that the DHCP is served by a centralised server. (so no

Does any of the above change your advice? I was looking at adding a vpn-filter (none is currently configured)

We did already add the same-security-traffic permit intra-interface command but it had no effect on the problem.

Hi Chris,

When you ping one Anyconnect client from the other client do you see pings reaching the ASA's outside interface.

Use debug icmp trace and check if the ping makes it to the ASA.

Regards,

Aditya

please rate helpful posts.

Hi Aditya,

Yes, I can see icmp packets coming in from the remote client, but no sign of any replies.

ICMP echo/replys from outside <> inside are fine. 

Hi Chris,

Could you use a packet-tracer and share the output ?

packet-tracer input outside icmp <pool ip 1 > 8 0 <pool ip 2> det

Regards,

Aditya

Please rate helpful posts.

Hi Aditya,

Please see below for information. I've redacted/obscured IP addressing information

# packet-tracer input OUTSIDE  icmp 10.xx.80.23 8 0 10.xx.80.24 det

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff8c533b50, priority=1, domain=permit, deny=false

        hits=1450655534, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=OUTSIDE, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop <Public IP of ASA's gateway> using egress ifc  OUTSIDE

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffb1d76810, priority=3, domain=permit, deny=false

        hits=3, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=OUTSIDE

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffb13611e0, priority=0, domain=nat-per-session, deny=true

        hits=13714631, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff8c5307c0, priority=0, domain=inspect-ip-options, deny=true

        hits=25138495, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=any

Phase: 6

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff8e396ff0, priority=79, domain=punt, deny=true

        hits=1936, user_data=0x7fffb0d56610, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.xx.80.23, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=any

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffb1ccf2b0, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1936, user_data=0x2571cd34, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.xx.80.23, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=any

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Chris,

Just for testing purposes could you use the following NAT on line 1:

nat (outside,outside) 1 source static Anyconnect-pool Anyconnect-pool

and then test the traffic ?

Regards,

Aditya

Please rate helpful posts.

Hi Aditya,

Ok, same end result:

Added the following configuration

object network obj-AnyconnectPool

subnet 10.xx.80.0 255.255.240.0

nat (outside,outside) 1 source static obj-AnyconnectPool obj-AnyconnectPool

Heres some debug ICMP trace: 

# ICMP echo request from OUTSIDE:10.xx.80.23 to INSIDE:10.xx.80.24 ID=1 seq=54081 len=32

ICMP echo request from OUTSIDE:10.xx.80.23 to INSIDE:10.xx.80.24 ID=1 seq=54082 len=32

ICMP echo request from OUTSIDE:10.xx.80.23 to INSIDE:10.xx.80.24 ID=1 seq=54083 len=32

ICMP echo request from OUTSIDE:10.xx.80.23 to INSIDE:10.xx.80.24 ID=1 seq=54084 len=32

Some sow nat: 

# sho nat

Manual NAT Policies (Section 1)

1 (OUTSIDE) to (OUTSIDE) source static obj-AnyconnectPool obj-AnyconnectPool

    translate_hits = 3, untranslate_hits = 3

And a packet-tracer

# packet-tracer input OUTSIDE  icmp 10.xx.80.23 8 0 10.xx.80.24 det

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (OUTSIDE,OUTSIDE) source static obj-AnyconnectPool obj-AnyconnectPool

Additional Information:

NAT divert to egress interface OUTSIDE

Untranslate 10.xx.80.24/0 to 10.xx.80.24/0

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (OUTSIDE,OUTSIDE) source static obj-AnyconnectPool obj-AnyconnectPool

Additional Information:

Static translate 10.xx.80.23/0 to 10.xx.80.23/0

Forward Flow based lookup yields rule:

in  id=0x7fffa59a6e80, priority=6, domain=nat, deny=false

        hits=0, user_data=0x7fffa5910b00, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.xx.80.0, mask=255.255.240.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=OUTSIDE

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffb1d76810, priority=3, domain=permit, deny=false

        hits=6, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=OUTSIDE

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffb13611e0, priority=0, domain=nat-per-session, deny=true

        hits=13779430, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff8c5307c0, priority=0, domain=inspect-ip-options, deny=true

        hits=25194915, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=any

Phase: 6

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff99b0e000, priority=79, domain=punt, deny=true

        hits=3644, user_data=0x7fffb0d56610, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.xx.80.23, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=any

Phase: 7

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fffa9adbbd0, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=3644, user_data=0x14dfd674, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.xx.80.23, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=OUTSIDE, output_ifc=any

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Chris,

Interesting, can you check if the pings are blocked on the Anyconnect hosts.

Could you turn off the Windows Firewall etc ?

Regards,

Aditya

Hi Aditya,

I can confirm that pings are permitted on the windows firewalls. 

From a host on the interior network I can ping both remote hosts. Both remote hosts can ping the internal hosts.

Indeed external hosts can ping remote hosts on other nodes in the ASA load balanced cluster. It is just when both remote nodes are on the same ASA we have trouble.

Hi Chris,

On the ASA please take asp captures and check if the ASA is doing something to this traffic.

cap asp type asp-drop all

sh cap asp | in <VPN pool ip>

Test a ping and check if see any hits in the capture.

Also use a packet sniffer like Wireshark on the PC and check whether the request reaches the host or not.

Regards,

Aditya

Please rate helpful posts.

Hi Adita,

The capture does not show the dropped traffic.

Wireshark testing confirms that remote B never sees packets from remote A (this was tested in both directions)

Chris

Hi Chris,

What is the ASA and Anyconnect version in use ?

Regards,

Aditya

Please rate helpful posts.