Re: unable to https wlc while on anyconnect vpn - Page 2

network1215 · ‎03-04-2020

When I am on corporate wifi I am able to access WEB gui for WLC but when I am connected from home via VPN I am unable to access WLC GUI.. however, I am able to ping from PC(connected to vpn) to WLC management IP. All the GW are on ASA for vpn subnet and WLC management.

Packet-tracer input ____ (should it be from VPN subnet or outside) in the input ?? When I put input as VPN subnet

input-interface: VPN
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: allow

but when I Put input as outside interface it show acl-drop.

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

not sure how to verify where the problem is ? is it nat or acl or something else ?

Cristian Matei · ‎03-05-2020

Hi,

Use "show vpn-sessiond" to look at the counters, once VPN is up.

Regards,

Cristian Matei.

network1215 · ‎03-05-2020

below output is when I tried to establish https session before and after increments are the same

show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 1 : 17 : 2 : 0
SSL/TLS/DTLS : 1 : 17 : 2 : 0
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 17
Device Total VPN Capacity : 750
Device Load : 0%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
AnyConnect-Parent : 1 : 17 : 2
SSL-Tunnel : 1 : 21 : 2
DTLS-Tunnel : 0 : 13 : 1
---------------------------------------------------------------------------
Totals : 2 : 51
---------------------------------------------------------------------------

Francesco Molino · ‎03-05-2020

Ok let's recap to make sure I followed all posts.
ASA is the default gateway of your WLC management. You can ping it but no TCP access (ssh nor https).
You can ssh to your internal switch from anyconnect vpn.

Is the IP of your switch in the same vlan as your WLC management?
Can you share your asa config and tell us ip of your WLC?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

network1215 · ‎03-05-2020

yes ASA is the gateway for WLC management subnet.

Cristian Matei · ‎03-13-2020

Hi,

Establish the VPN session, configure a packet-capture on the ASA interface facing the WLC while matching on the traffic between the WLC and your AnyConnect assigned IP address, afterwards initiate a real HTTPS session to the WLC (not telnet), leave it to timeout, stop the capture, post the capture here.

Regards,

Cristian Matei.