vpn-filter permit any any blocks all AnyConnect traffic

Bradley Urberg Carlson · ‎07-19-2012

I am using AnyConnect with Radius on a asa5510. Radius defines which group-policy should apply to each AnyConnect client.

I'd like to use a different vpn-filter for each group-policy group. With no vpn-filter defined, AnyConnect clients can communicate with inside networks and outside (via nat). However, defining any vpn-filter asa group-policy attribute seems to drop all connectivity for AnyConnect client tunnels in that group. Even something as simple as:

access-list FILTER1 extended permit ip any any

group-policy GROUP1 attributes

vpn-filter value FILTER1

...seems to drop all traffic. Deleting the single vpn-filter line restores connectivity.

I'm unsure how to packet-trace traffic entering via AnyConnect to see where the problem lies.

-Bradley

Jennifer Halim · ‎07-20-2012

Did you reconnect the AnyConnect vpn after the changes? or you stay connected to the AnyConnect after the changes?

Bradley Urberg Carlson · ‎07-20-2012

Thanks, Jennifer: yes, I am bringing-up a new AnyConnect session after making the changes, to test. Is there a way to do a "packet trace" which shows packet flow through a vpn-filter?

Jennifer Halim · ‎07-22-2012

what version of ASA and ANyConnect are you running?

Bradley Urberg Carlson · ‎07-22-2012

Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

This platform has an ASA 5510 Security Plus license.

System image file is "disk0:/asa825-k8.bin"

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

My AnyConnect client is version 2.5.0217