04-15-2020 10:59 AM
Hello everyone,
Need some help please on the following issue.
My company is using IPSEC VPN for remote access and 2 x ASA5525 (let say ASA A - OS version 9.4(4)5 and ASA B OS version 9.8(3)21).
We are using different group of users with different rights each using aaa radius ACL (with a Radius/LDAP infrastructure).
We are using two CallManager (not Cisco) , active/active for our ToIP need, with a virtual IP (let say 10.10.10.10) to get to these servers. That means, the ToIP client send a , for e.g. a udp SIP registry request toward that virtual IP (10.10.10.10) and gets the reply from one of the physical IP addresses ( let say 10.10.10.1 or 10.10.10.2).
The CallManager servers are located internally (inside).
The issue is the following:
For the users connected through VPN to ASA A, the traffic is authorized with no explicit permit ACE rule on the aaa radius ACL.
On the other hand, users connected to ASA B get the traffic droped by the implicit deny of the aaa radius ACL (reveled through the use of packet-tracer command).
My question is , since the configuration is typically the same on both ASAs , what could be wrong ?
Note that: i tried to authorize the traffic by adding an ACE rule, but i got no hint , and the traffic still drops.
Solved! Go to Solution.
05-12-2020 03:07 PM
04-15-2020 11:07 AM
Using packet-tracer for remote-access VPN tracing is tricky. You have to specify an unused address in the assigned VPN pool.
That aside, it's nearly impossible to say what your issue is without seeing the running-configs from the system.
04-17-2020 02:08 PM
05-12-2020 03:07 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide