Solved: VPN Anyconnect on FTD via FDM - Page 2

jebanks · ‎07-12-2023

Hi Team:

Am currently deploying some FTD 1120 in redundancy mode but am having some issues with anyconnect. Currently am able to browse the net but I cannot access my internal nodes that I want to access via the tunnel. I can see my anyconnect profile has the private network on the secure path but am not reaching them. Any thoughts why this is happening? What am i configuring wrong? Also in the FTD configuring RA VPN via FDM shouldn't it create a nat in Policies>NAT? I ask cause am not seeing it

jebanks · ‎07-13-2023

One last thing. Would any configs be need on FTD for the browsing experience be little faster. I feel like the internet browsing is slow

MHM Cisco World · ‎07-13-2023

Check ifconfog in your pc

What is DNS server pc use when it anyconnect active and passive.

jebanks · ‎07-13-2023

I did that and its using the internal dns that i define when they connect with anyconnect. Whats best practice here, our internal dns or define external ones?

MHM Cisco World · ‎07-13-2023

do lookup and see time taken until internal DNS resolve the Name-IP
ping google.com
ping 8.8.8.8
see the different in time

jebanks · ‎07-13-2023

@MHM Cisco Worldi have done the nslookup and the time to resolve is quick but the pings do seem off. below is the output of the pings

C:\Users\root>ping google.com

Pinging google.com [142.250.69.206] with 32 bytes of data:
Reply from 142.250.69.206: bytes=32 time=395ms TTL=107
Reply from 142.250.69.206: bytes=32 time=601ms TTL=107
Reply from 142.250.69.206: bytes=32 time=421ms TTL=107
Reply from 142.250.69.206: bytes=32 time=863ms TTL=107

Ping statistics for 142.250.69.206:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 395ms, Maximum = 863ms, Average = 570ms

C:\Users\root>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=303ms TTL=110
Reply from 8.8.8.8: bytes=32 time=724ms TTL=110
Reply from 8.8.8.8: bytes=32 time=591ms TTL=110
Reply from 8.8.8.8: bytes=32 time=175ms TTL=110

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 175ms, Maximum = 724ms, Average = 448ms

C:\Users\root>

MHM Cisco World · ‎07-18-2023

TTL 110

It huge number of hopes pass before host reach 8.8.8.8

Can you traceroute 8.8.8.8

See if the path through ftd and then via other SP

Rob Ingram · ‎07-13-2023

@jebanks you should check your rules in the Access Control Policy are correct and ensure you have the correct source/destination zones, traffic from an anyconnect user will be "outside".

You can also run packet-tracer to simulate the traffic flow, this will indicate where the issue lies.

Also with live traffic from the CLI of the FTD run system support firewall-engine-debug filter on the IP address of the anyconnect user and you can see the traffic and determine which rule the traffic matches.

jebanks · ‎07-13-2023

I did it. I can see the apply ACL so from the serve to the client IP works but from the client to the server not working. So I think its starting to be a routing or windows firewall. Checking it out. But command is helpful

MHM Cisco World · ‎07-12-2023