cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
0
Helpful
3
Replies

VPN Remote Access - Traffic droped from inside toward VPN client

Hello everyone,

 

Need some help please on the following issue.

 

My company is using IPSEC VPN for remote access and 2 x ASA5525 (let say ASA A -  OS version 9.4(4)5 and ASA B OS version 9.8(3)21). 

We are using different group of users with different rights each using aaa radius ACL (with a Radius/LDAP infrastructure).

 

We are using two CallManager (not Cisco) , active/active for our ToIP need, with a virtual IP (let say 10.10.10.10) to get to these servers. That means, the ToIP client send a , for e.g. a udp SIP registry request toward that virtual IP (10.10.10.10) and gets the reply from one of the physical IP addresses ( let say 10.10.10.1 or 10.10.10.2). 

The CallManager servers are located internally (inside). 

 

The issue is the following:

For the users connected through VPN to ASA A, the traffic is authorized with no explicit permit ACE rule on the aaa radius ACL.

On the other hand, users connected to ASA B get the traffic droped by the implicit deny of the aaa radius ACL (reveled through the use of packet-tracer command).

My question is , since the configuration is typically the same on both ASAs , what could be wrong ? 

Note that: i tried to authorize the traffic by adding an ACE rule, but i got no hint , and the traffic still drops.

1 Accepted Solution

Accepted Solutions

Issue resolved. It was an issue on the server side : a bad configuration of a linux network configuration file.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Using packet-tracer for remote-access VPN tracing is tricky. You have to specify an unused address in the assigned VPN pool.

That aside, it's nearly impossible to say what your issue is without seeing the running-configs from the system.

Hi Marvin,

-I get the following logging message repeatedly on the loggs that confirms the packet-tracer test result :
Apr 17 2020 16:09:21 ASAFRW01 : %ASA-4-106103: access-list vpn-users denied udp for user '<unknown>' INTERNAL/10.200.215.121(5060) -> DMZ/10.258.20.181(51372) hit-cnt 1 first hit [0xeec2fb93, 0x0]
-0xeec2fb93 matches the follow ACE (explicit deny):
access-list vpn-users line 173 extended deny ip any 10.0.0.0 255.0.0.0 (hitcnt=366629) 0xeec2fb93

I checked ASA log messages. Here' what i got :

Error Message %ASA-4-106103: access-list acl_ID denied protocol interface_name/source_address source_port interface_name/dest_address dest_port hit-cnt number first hit hash codes
Explanation This message indicates that a packet was denied by an access-list that is applied through a VPN filter. This message is the VPN/AAA filter equivalent of syslog message106023.
Recommended Action None required.

Issue resolved. It was an issue on the server side : a bad configuration of a linux network configuration file.