I am using AnyConnect with Radius on a asa5510. Radius defines which group-policy should apply to each AnyConnect client.
I'd like to use a different vpn-filter for each group-policy group. With no vpn-filter defined, AnyConnect clients can communicate with inside networks and outside (via nat). However, defining any vpn-filter asa group-policy attribute seems to drop all connectivity for AnyConnect client tunnels in that group. Even something as simple as:
access-list FILTER1 extended permit ip any any
group-policy GROUP1 attributes
vpn-filter value FILTER1
...seems to drop all traffic. Deleting the single vpn-filter line restores connectivity.
I'm unsure how to packet-trace traffic entering via AnyConnect to see where the problem lies.
Thanks, Jennifer: yes, I am bringing-up a new AnyConnect session after making the changes, to test. Is there a way to do a "packet trace" which shows packet flow through a vpn-filter?
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
This platform has an ASA 5510 Security Plus license.
System image file is "disk0:/asa825-k8.bin"
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
My AnyConnect client is version 2.5.0217