Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1885
Views
0
Helpful
19
Replies

unable to https wlc while on anyconnect vpn

network1215
Level 1
Level 1

‎03-04-2020 07:25 PM

When I am on corporate wifi I am able to access WEB gui for WLC but when I am connected from home via VPN I am unable to access WLC GUI.. however, I am able to ping from PC(connected to vpn) to WLC management IP. All the GW are on ASA for vpn subnet and WLC management. 

 

Packet-tracer input ____ (should it be from VPN subnet or outside) in the input ?? When I put input as VPN subnet

 

input-interface: VPN
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: allow

 

but when I Put input as outside interface it show acl-drop.

 

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

not sure how to verify where the problem is ? is it nat or acl or something else ?

Labels:
0 Helpful
19 Replies 19

Francesco Molino
VIP Alumni
VIP Alumni

‎03-04-2020 07:34 PM

Hi

Can you post the full output of packet-tracer using your vpn ip as source with port 12345 and wlc mgmt ip as destination with port 443 and adding the detail keyword at the end of the command.
Also from your vpn, can you do telnet on port 443 to your mgmt to test the port isn't accessible from vpn?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

network1215
Level 1
Level 1
In response to Francesco Molino

‎03-04-2020 07:50 PM

C:\Users>telnet 10.10.10.5 443
Connecting To 10.10.10.5...Could not open connection to the host, on port 443: Connect failed

 

ASA_Prod# packet-tracer input UserVPN tcp 10.10.8.127 443 10.10.10.5 443 detailed

10.10.10.8.127 (VPN IP via DHCP)
10.10.10.5 (WLC MGMT)

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.5 using egress ifc MGT_NET

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fabc1784270, priority=2, domain=permit, deny=false
hits=2, user_data=0x0, cs_id=0x0, flags=0x3000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VPN, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fabbfad8f40, priority=0, domain=nat-per-session, deny=false
hits=75694, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fabc0804290, priority=0, domain=inspect-ip-options, deny=true
hits=9, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VPN, output_ifc=any

Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map global-class
description To SFR
match any
policy-map global_policy
class global-class
sfr fail-open monitor-only
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fabc149cb10, priority=71, domain=sfr, deny=false
hits=3, user_data=0x7fabc145b6a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=VPN, output_ifc=any

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fabbfad8f40, priority=0, domain=nat-per-session, deny=false
hits=75696, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fabc079f9a0, priority=0, domain=inspect-ip-options, deny=true
hits=22096, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=MGT_NET, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 108051, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: VPN
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: allow

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to network1215

‎03-04-2020 09:22 PM

Ok can you try ssh into your wlc?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

network1215
Level 1
Level 1
In response to Francesco Molino

‎03-05-2020 06:28 AM

I tried, didn't work. connection timed out. 

0 Helpful

johnd2310
Level 8
Level 8

‎03-04-2020 07:55 PM

Hi,

Can  you access any other resources on the management network?  Is it only failing to the WLC? Do you have a vpn filter-list? In you packet-tracer you have an interface called VPN. What is this interface? Does you vpn terminate on this interface or on the outside interface?

 

Thanks

John

**Please rate posts you find helpful**
0 Helpful

network1215
Level 1
Level 1
In response to johnd2310

‎03-04-2020 08:25 PM

Can  you access any other resources on the management network? 

yes I can ssh to FW & switch IP address , but https to wlc management IP doesn't work, even though pings is successful from my laptop. 

 

Is it only failing to the WLC?

yes, for now 

 

Do you have a vpn filter-list?

no

In you packet-tracer you have an interface called VPN. What is this interface?

this is the subinterface for VPN  subnet.

 

Does you vpn terminate on this interface or on the outside interface?

how can I verify ?

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎03-05-2020 06:54 AM

Hi,

 

    You sure that the default-gateway on the WLC is your ASA? Can you verify that? If yes, use "clear asp drop", initiate the management sessions to WLC and look ar "show asp drop".

 

Regards,

Cristian Matei.

0 Helpful

network1215
Level 1
Level 1
In response to Cristian Matei

‎03-05-2020 07:19 AM

I just did.. clear asp drop and than initiated session ..than show asp drop

 

Frame drop:
No route to host (no-route) 4
Flow is denied by configured rule (acl-drop) 274
First TCP packet not SYN (tcp-not-syn) 3
Early security checks failed (security-failed) 43
Slowpath security checks failed (sp-security-failed) 6
Expired flow (flow-expired) 16
Received SFR packet while in monitor-only mode (sfr-rx-monitor-only) 12707
FP L2 rule drop (l2_acl) 128

Last clearing: 07:55:20 UTC Mar 5 2020 by enable_15

Flow drop:
Inspection failure (inspect-fail) 4

Last clearing: 07:55:20 UTC Mar 5 2020

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to network1215

‎03-05-2020 07:32 AM

Hi,

 

    Can you ping the WLC from ASA? When you try to reach the WLC through the tunnel, do you see counters increasing in AnyConnect? What secure routes do you see in AnyConnect? Remove MPF and try again.

 

Regards,

Cristian Matei.

0 Helpful

network1215
Level 1
Level 1
In response to Cristian Matei

‎03-05-2020 09:05 AM

 Can you ping the WLC from ASA?

 

- I can Ping WLC Management IP while connected to anyconnect client. no problem

- I can ping from WLC to my assigned VPN client IP address. No Problem.

to and from WLC admin IP pingable.

 

When you try to reach the WLC through the tunnel, do you see counters increasing in AnyConnect?

any specific commands that I should run ? 

 

What secure routes do you see in AnyConnect? Remove MPF and try again.

I have split tunnel configured ACL, which I removed and dc anyconnect, reconnect to try without the acl but still same. 

 

 

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to network1215

‎03-05-2020 09:23 AM

Hi,

 

   As connected to the tunnel (change your split ACL to flow traffic only to the WLC), generate continuous ICMP traffic towards the WLC, and look on the ASA with "show crypto ipsec sa" and see if counters are increasing (decrypted packets); clear the counters and do the same while trying to access WLC via HTTPS. Also take a look at "show fragment" while doing the previously stated steps.

   Otherwise i would try to upgrade the ASA image.

 

Regards,

Cristian Matei.

0 Helpful

network1215
Level 1
Level 1
In response to Cristian Matei

‎03-05-2020 10:20 AM

show crypto ipsec sa

There are no ipsec sas

 

there are no tunnels 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to network1215

‎03-05-2020 10:27 AM

Hi,

 

    VPN is terminated on the ASA? Is it SSL or IPsec?

 

Regards,

Cristian Matei.

0 Helpful

network1215
Level 1
Level 1
In response to Cristian Matei

‎03-05-2020 10:37 AM

yes VPN terminates on ASA, its SSL VPN with anyconnect client.

0 Helpful
Customers Also Viewed These Support Documents