Re: Unable to access Internet while connected to AnyConnect

jf1134 · ‎06-01-2023

We have a ASAv in Azure that's just used for users to use AnyConnect to access some internal resources. I have a split-tunnel setup so the internal IP's are in the secured routes and 0.0.0.0/0 is non-secured. The problem is that some people once they connect lose their connection to the internet so they are unable to access any websites like google.com or basically anything. Majority of the users are using 4.7.

Thanks in advance.

Sheraz.Salim · ‎06-01-2023

Seem like your configuration for NAT not correct or missing. could you please share your configuration.

try below command in case if they missing this will fix the issue. if not please share your configuration.

nat (outside,inside,) source static <vpn-pool> <vpn-pool> destination static <internal-network> <internal-network>
!
nat (inside,outside) source dynamic <vpn-pool> interface

please do not forget to rate.

jf1134 · ‎06-02-2023

Here's the config.

ASA Version 9.15(1)1
!
hostname ASA-XXX
enable password
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
!
license smart
feature tier standard
throughput level 1G
names
no mac-address auto
ip local pool VPN_Pool 10.10.1.1-10.10.1.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
no management-only
nameif Internet
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Internet
dns server-group DefaultDNS
name-server 168.63.129.16
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN-Pool
subnet 10.10.1.0 255.255.255.0
object network obj_inside
subnet 10.75.1.0 255.255.255.0
access-list SPLIT_Tunnel standard permit 10.250.0.0 255.255.0.0
access-list SPLIT_Tunnel standard permit 172.16.0.0 255.255.128.0
access-list SPLIT_Tunnel standard permit 172.16.128.0 255.255.128.0
access-list SPLIT_Tunnel standard permit 10.10.0.0 255.255.0.0
access-list SPLIT_Tunnel standard permit 10.75.0.0 255.255.0.0
access-list SPLIT_Tunnel standard permit 10.100.0.0 255.255.0.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list Internet_access_in extended permit ip any 172.16.128.0 255.255.128.0
access-list Internet_access_in extended permit ip any 10.250.0.0 255.255.0.0
access-list Internet_access_in extended permit ip any 172.16.0.0 255.255.128.0
access-list Internet_access_in extended permit ip any any
pager lines 23
logging enable
logging asdm informational
mtu Internet 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (any,any) source static obj_inside obj_inside destination static obj_inside obj_inside no-proxy-arp
nat (any,any) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool no-proxy-arp
!
object network VPN-Pool
nat (any,Internet) dynamic interface dns
access-group Internet_access_in in interface Internet
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server Duo_LDAP protocol ldap
aaa-server Duo_LDAP (Internet) host xxxxx
server-port 636
ldap-base-dn dc=xxxxx,dc=xxxxxxx,dc=com
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn dc=xxxxxx,dc=xxxxxx,dc=com
ldap-over-ssl enable
server-type auto-detect
aaa-server Login_Servers protocol ldap
aaa-server Login_Servers (Internet) host 10.250.2.10
timeout 60
ldap-base-dn xxxxxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn xxxxxx
server-type auto-detect
aaa-server Login_Servers (Internet) host 10.250.2.11
timeout 60
ldap-base-dn DC=xxx,DC=xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn xxxxxxx
server-type auto-detect
aaa-server Login_Servers (Internet) host 172.16.3.20
timeout 60
ldap-base-dn DC=xxx,DC=xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn xxxxxx
server-type auto-detect
aaa-server Login_Servers (Internet) host 172.16.3.10
timeout 60
ldap-base-dn xxx
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn xxxxxx
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
keypair ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint0-1
crl configure
crypto ca trustpoint ASDM_TrustPoint0-2
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
keypair ASDM_TrustPoint3
no validation-usage
crl configure
crypto ca trustpoint DuoLDAPRoot
enrollment terminal
crl configure
crypto ca trustpoint DuoLDAPSubordinate
enrollment terminal
crl configure
crypto ca trustpoint DigiCertGlobalRootCA
enrollment terminal
crl configure
crypto ca trustpoint DigiCertHighAssuranceEVRootCA
enrollment terminal
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint4
keypair ASDM_TrustPoint4
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate ca
quit
certificate
quit
crypto ca certificate chain ASDM_TrustPoint0-1
certificate ca
quit
crypto ca certificate chain ASDM_TrustPoint0-2
certificate ca
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate
quit
certificate ca
quit
crypto ca certificate chain DuoLDAPRoot
certificate ca
quit
crypto ca certificate chain DuoLDAPSubordinate
certificate ca
quit
crypto ca certificate chain DigiCertGlobalRootCA
certificate ca
quit
crypto ca certificate chain DigiCertHighAssuranceEVRootCA
certificate ca
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint4 Internet
webvpn
enable Internet
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.04056-webdeploy-k9.pkg 2
anyconnect profiles ASIAzureVPN disk0:/asiazurevpn.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_ASIAzureVPN internal
group-policy GroupPolicy_ASIAzureVPN attributes
wins-server none
dns-server value 10.250.2.10 10.250.2.11
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_Tunnel
default-domain value xxx.xxx
webvpn
anyconnect modules value vpngina
anyconnect profiles value ASIAzureVPN type user
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username xxxx password ***** pbkdf2 privilege 15
username xxxx password ***** pbkdf2 privilege 15
tunnel-group ASIAzureVPN type remote-access
tunnel-group ASIAzureVPN general-attributes
address-pool VPN_Pool
authentication-server-group Login_Servers
secondary-authentication-server-group Duo_LDAP use-primary-username
default-group-policy GroupPolicy_ASIAzureVPN
tunnel-group ASIAzureVPN webvpn-attributes
group-alias ASIAzureVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect snmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
hpm topN enable
Cryptochecksum:ac3f4bc7389b79b694b0811d8c4d4a32
: end

Sheraz.Salim · ‎06-02-2023

@jf1134 where are these ip address/es reside

10.250.0.0 255.255.0.0
172.16.0.0 255.255.128.0
172.16.128.0 255.255.128.0
10.10.0.0 255.255.0.0
10.75.0.0 255.255.0.0
10.100.0.0 255.255.0.0

in your configuration "interface Management0/0" is in no shutdown and getting the ip address from dhcp. however rest of the interface are shutdown. I am curious if the above IP address/how these IP addresses are connected to which ASAv Interface.

This make sense as of your ASAv only interface Managment0/0 is no shutdown so you connected from anyconnect to ASAv. but there is no interface on ASAv to direct the traffic.

please do not forget to rate.

jf1134 · ‎06-02-2023

So this is a ASAv that's in Azure and built from the Azure Marketplace. When the ASAv is built, the interface that's used for internet traffic is the Management port. I don't know why. I opened a ticket open with Cisco and they confirmed this is how it was done. This was also three years ago when I set this up so maybe things have changed since then.

So all those are internal IP that are used in the split-tunnel. It's basically everything that needs to be accessed while connected to the VPN. The only thing this is used for is AnyConnect. It doesn't do anything else.

Sheraz.Salim · ‎06-02-2023

try this

no nat (any,any) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool no-proxy-arp
!
object network obj_inside
subnet 10.75.1.0 255.255.255.0
!
object network obj_172
 subnet 172.16.0.0 255.255.255.128.0
!
object network obj_172_2
 subnet 172.16.128.0 255.255.128.0
!
object network obj_10_10
 subnet 10.10.0.0 host 255.255.255.0
!
object network obj2_10_75
 subnet 10.75.0.0 255.255.0.0
!
object-group network LOCAL_NETWORK
 network-object object obj_inside
 network-object object obj_172
 network-object object obj_172_2
 network-object object obj_10_10
 network-object object obj2_10_75
!
nat (any,Internet) source static LOCAL_NETWORK LOCAL_NETWORK destination static VPN-Pool VPN-Pool no-proxy-arp

please do not forget to rate.

jf1134 · ‎06-02-2023

Thanks. I'll set this up. Unfortunately, I have no way of really testing to see if it solves the problem. I haven't ever had the problem so kind of have to wait and see.

Aref Alsouqi · ‎06-02-2023

The fact that you said it affects some users I wouldn't think it could be anything wrong with the firewall configs, I would rather think it could be something related to an incompatibility between the operating system/patch and that specific version of AnyConnect. I would recommend upgrading to the latest version of AnyConnect, and if the issue persists I would recommend raising a TAC.

Sheraz.Salim · ‎06-02-2023

@Aref Alsouqi look into the config the nat rule is wrong

nat (any,any) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool no-proxy-arp

please do not forget to rate.

Aref Alsouqi · ‎06-02-2023

I saw that, but I'm not sure if that would really be relevant as I think in Azure the NAT is applied somewhere else not on the firewall itself. And the fact that this happens only for some users leads me to think it is more related to AnyConnect client or an interoperability with the operating system. Also, I think @jf1134 created another post a few days back about the same issue where they mentioned upgrading to AnyConnect version 4.10 was a fix to those issues.