Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1531
Views
0
Helpful
5
Replies

VPN dropping traffic

Go to solution
ludo.vandenbosch
Level 1
Level 1

‎02-12-2015 07:14 AM

We are configuring a asa 5505 with anyconnect. But traffic from are vpn-pool to the local network is being droppped. but traffic from the inside network to the vpn client isn't being dropped. Any Help

 

Labels:
Preview file
15 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AllertGen
Level 3
Level 3
In response to ludo.vandenbosch

‎02-13-2015 04:34 AM

Hi ludo.vandenbosch@vagga.be.

Can you also delete line "access-group anyconnect in interface outside" bur leave a vpn-filter at the configuration?

Also you can add a line deny any any at the end of each ACL to see which is blocking traffic.

Best Regards.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
AllertGen
Level 3
Level 3

‎02-13-2015 12:40 AM

Hello, ludo.vandenbosch@vagga.be.

I think it can be because you don't have a "vpn-filter" inside "group-policy GroupPolicy_VAGGA-VPN attributes". And because you securety-level for outside interface is 0 all traffic from VPN is dropped.

Try this:

group-policy GroupPolicy_VAGGA-VPN attributes
 vpn-filter value anyconnect
exit

Also at your attachment is a lot of private information. It's better to hide it.

0 Helpful

Go to solution
ludo.vandenbosch
Level 1
Level 1
In response to AllertGen

‎02-13-2015 03:52 AM

I Tried this one but get no result. When I do a packet trace from the vpn client ip to a internal client I get the following. I forgot Nat in my config from the anyconnect pool 2 the local network. After this it worked. But when i copied the config to a production machine it failed again. Now I'm clueless 

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
AllertGen
Level 3
Level 3
In response to ludo.vandenbosch

‎02-13-2015 04:34 AM

Hi ludo.vandenbosch@vagga.be.

Can you also delete line "access-group anyconnect in interface outside" bur leave a vpn-filter at the configuration?

Also you can add a line deny any any at the end of each ACL to see which is blocking traffic.

Best Regards.

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to AllertGen

‎02-13-2015 04:44 AM

Now that you added the NAT rule in production can you post the config?

0 Helpful

Go to solution
ludo.vandenbosch
Level 1
Level 1
In response to burleyman

‎02-16-2015 06:34 AM

We can ping from outside to inside but nothing else file sharing etc. From inside 2 outside filsharing is possible (acl ?)

Preview file
5 KB
0 Helpful
Customers Also Viewed These Support Documents