Showing results for 
Search instead for 
Did you mean: 

vpn-filter permit any any blocks all AnyConnect traffic

I am using AnyConnect with Radius on a asa5510.  Radius defines which group-policy should apply to each AnyConnect client.

I'd like to use a different vpn-filter for each group-policy group.  With no vpn-filter defined, AnyConnect clients can communicate with inside networks and outside (via nat).  However, defining any vpn-filter asa group-policy attribute seems to drop all connectivity for AnyConnect client tunnels in that group.  Even something as simple as:

access-list FILTER1 extended permit ip any any

group-policy GROUP1 attributes

vpn-filter value FILTER1 

...seems to drop all traffic.  Deleting the single vpn-filter line restores connectivity. 

I'm unsure how to packet-trace traffic entering via AnyConnect to see where the problem lies. 


Jennifer Halim
Cisco Employee

Did you reconnect the AnyConnect vpn after the changes? or you stay connected to the AnyConnect after the changes?

Thanks, Jennifer:  yes, I am bringing-up a new AnyConnect session after making the changes, to test.  Is there a way to do a "packet trace" which shows packet flow through a vpn-filter?

what version of ASA and ANyConnect are you running?

Hardware:   ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

This platform has an ASA 5510 Security Plus license.

System image file is "disk0:/asa825-k8.bin"

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

My AnyConnect client is version 2.5.0217

Content for Community-Ad