03-04-2020 07:25 PM
When I am on corporate wifi I am able to access WEB gui for WLC but when I am connected from home via VPN I am unable to access WLC GUI.. however, I am able to ping from PC(connected to vpn) to WLC management IP. All the GW are on ASA for vpn subnet and WLC management.
Packet-tracer input ____ (should it be from VPN subnet or outside) in the input ?? When I put input as VPN subnet
input-interface: VPN
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: allow
but when I Put input as outside interface it show acl-drop.
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: MGT_NET
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
not sure how to verify where the problem is ? is it nat or acl or something else ?
03-05-2020 10:48 AM
Hi,
Use "show vpn-sessiond" to look at the counters, once VPN is up.
Regards,
Cristian Matei.
03-05-2020 11:02 AM
below output is when I tried to establish https session before and after increments are the same
show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 1 : 17 : 2 : 0
SSL/TLS/DTLS : 1 : 17 : 2 : 0
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 17
Device Total VPN Capacity : 750
Device Load : 0%
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
AnyConnect-Parent : 1 : 17 : 2
SSL-Tunnel : 1 : 21 : 2
DTLS-Tunnel : 0 : 13 : 1
---------------------------------------------------------------------------
Totals : 2 : 51
---------------------------------------------------------------------------
03-05-2020 11:57 AM
03-05-2020 07:32 AM
yes ASA is the gateway for WLC management subnet.
03-13-2020 04:28 AM
Hi,
Establish the VPN session, configure a packet-capture on the ASA interface facing the WLC while matching on the traffic between the WLC and your AnyConnect assigned IP address, afterwards initiate a real HTTPS session to the WLC (not telnet), leave it to timeout, stop the capture, post the capture here.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide