Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
3
Replies

VPN Remote Access - Traffic droped from inside toward VPN client

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1

‎04-15-2020 10:59 AM

Hello everyone,

 

Need some help please on the following issue.

 

My company is using IPSEC VPN for remote access and 2 x ASA5525 (let say ASA A -  OS version 9.4(4)5 and ASA B OS version 9.8(3)21). 

We are using different group of users with different rights each using aaa radius ACL (with a Radius/LDAP infrastructure).

 

We are using two CallManager (not Cisco) , active/active for our ToIP need, with a virtual IP (let say 10.10.10.10) to get to these servers. That means, the ToIP client send a , for e.g. a udp SIP registry request toward that virtual IP (10.10.10.10) and gets the reply from one of the physical IP addresses ( let say 10.10.10.1 or 10.10.10.2). 

The CallManager servers are located internally (inside). 

 

The issue is the following:

For the users connected through VPN to ASA A, the traffic is authorized with no explicit permit ACE rule on the aaa radius ACL.

On the other hand, users connected to ASA B get the traffic droped by the implicit deny of the aaa radius ACL (reveled through the use of packet-tracer command).

My question is , since the configuration is typically the same on both ASAs , what could be wrong ? 

Note that: i tried to authorize the traffic by adding an ACE rule, but i got no hint , and the traffic still drops.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1
In response to Ahmed Ayoub ELBOURAQADI

‎05-12-2020 03:07 PM

Issue resolved. It was an issue on the server side : a bad configuration of a linux network configuration file.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-15-2020 11:07 AM

Using packet-tracer for remote-access VPN tracing is tricky. You have to specify an unused address in the assigned VPN pool.

That aside, it's nearly impossible to say what your issue is without seeing the running-configs from the system.

0 Helpful

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1
In response to Marvin Rhoads

‎04-17-2020 02:08 PM

Hi Marvin,

-I get the following logging message repeatedly on the loggs that confirms the packet-tracer test result :
Apr 17 2020 16:09:21 ASAFRW01 : %ASA-4-106103: access-list vpn-users denied udp for user '<unknown>' INTERNAL/10.200.215.121(5060) -> DMZ/10.258.20.181(51372) hit-cnt 1 first hit [0xeec2fb93, 0x0]
-0xeec2fb93 matches the follow ACE (explicit deny):
access-list vpn-users line 173 extended deny ip any 10.0.0.0 255.0.0.0 (hitcnt=366629) 0xeec2fb93

I checked ASA log messages. Here' what i got :

Error Message %ASA-4-106103: access-list acl_ID denied protocol interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number first hit hash codes
Explanation This message indicates that a packet was denied by an access-list that is applied through a VPN filter. This message is the VPN/AAA filter equivalent of syslog message106023.
Recommended Action None required.
0 Helpful

Go to solution
Ahmed Ayoub ELBOURAQADI
Level 1
Level 1
In response to Ahmed Ayoub ELBOURAQADI

‎05-12-2020 03:07 PM

Issue resolved. It was an issue on the server side : a bad configuration of a linux network configuration file.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents