Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8490
Views
10
Helpful
18
Replies

VPN stopped working after ISP change

Go to solution
jsf
Level 1
Level 1

‎08-16-2018 09:28 AM - edited ‎03-12-2019 05:29 AM

Hello,

I will preface my question with the following information, I am quite new the Cisco world and still use the ASDM for most of configuration changes with some command line experience.

 

ASA-5508-X / v9.7(1)4

 

I’ve been running this ASA on a secondary network for a week and it has been running flawlessly.  I successfully configured the remote client VPN using AnyConnect and the Clientless SSL VPN and it worked on the lab bench when connecting from an outside network.

After switching the ASA to new outside connection (new ISP), the VPN stopped working.  Right now, I’m focusing on the clientless SSL VPN.  Port 443 is open and listening, but the ASA fails to respond to connection requests.

 

Where should I be looking to troubleshoot this problem?

 

Thank you.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-17-2018 09:59 AM

Hi,

Here is an example how to configure AnyConnect SSLVPN via CLI. If you've still got problems, upload the new configuration

 

HTH

View solution in original post

18 Replies 18

Go to solution
Rob Ingram
VIP
VIP

‎08-16-2018 09:34 AM

Hi,
Can you access the internet from behind the ASA? Can you ping something (8.8.8.8) from the ASA itself?

When you changed the ASA to the new isp connection, did you change the ip address of the outside interface? Did you modify the default route to point to the correct next hop?

Perhaps you could upload you configuration for review?

HTH
0 Helpful

Go to solution
jsf
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 09:41 AM

Hi RJI,

 

I current have 20 users testing it and everyone has access to internet, and no problems pinging that address.

 

The new ISP assigns "static" IP's dynamically, so my change was to switch the outside interface to use DHCP.  I did not modify anything past that.

 

I'll edit this post shortly with the config.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-16-2018 09:44 AM

Ok, do you have an FQDN and does that resolve the new IP address? Or does the users just connect to the public IP address?
0 Helpful

Go to solution
jsf
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 09:54 AM - edited ‎08-16-2018 10:02 AM

Just using the public IP.

 

Config:


Result of the command: "show running-config"

: Saved

: 
: Serial Number: <serialnumber>
: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.7(1)4 
!
hostname <hostname>
domain-name <domainname>
enable password <enablepassword>
names

!
interface GigabitEthernet1/1
 description Main outside interface
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 172.16.2.1 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name <domainname>
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object service SMB30
 service tcp source eq 445 destination eq 445 
 description SMB30
object-group service Microsoft tcp
 description Microsoft Specific Services
 port-object eq 445
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
 nat (any,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 172.16.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint_SelfSigned
 enrollment self
 fqdn vpn.##.##
 subject-name CN=vpn.##.##
 keypair <keypair>
 crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint_SelfSigned
 certificate ...
  quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 8.8.8.8 8.8.4.4
dhcpd domain <dhcpdomain>
!
dhcpd address 172.16.2.100-172.16.2.254 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint_SelfSigned outside
webvpn
 enable outside
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 webvpn
  url-list value <localservername>
dynamic-access-policy-record DfltAccessPolicy
username <username>
tunnel-group <tunnel-group> type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:303b8abb64fc5ecb67e8695e57a66614
: end

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-16-2018 10:28 AM

Have you removed some config for the group-policy and tunnel-group? Do you have defined the vpn-tunnel-protocol to use e.g ssl-clientless? I don't see it in the output

 

 

0 Helpful

Go to solution
jsf
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 11:02 AM - edited ‎08-16-2018 11:02 AM

If you don't see it, then I'm guessing not.  I use thed included ADSM VPN "Wizard" to configure the VPNs.

 

Would the Wizard failed to create those entries?  Regardless, what would you recommend as a next step?

 

Thank you

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-16-2018 11:09 AM

If you check the Default Group Policy under the General section (from memory) ensure the Clientless SSL tunnel protocol is selected.
0 Helpful

Go to solution
jsf
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 11:41 AM

Yes, Clientless SSL VPN is selected, along with IPSec IKEv1 and 2 and L2TP.

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-16-2018 11:49 AM

Ok, does the tunnel-group actually reference that GP? Are there any other GP's?

Aside from the ASA configuration, assuming only the outside ip address has changed, is it likely the ISP has an ACL and filtering traffic? Do you see anything in the ASDM logs indicating an inbound connection attempt?
0 Helpful

Go to solution
jsf
Level 1
Level 1
In response to Rob Ingram

‎08-16-2018 12:11 PM

Only a single GP, and yes it is referenced.

 

I've got a ticket in with the ISP to see if they are indeed blocking port 443, or if there is another layer in front of the ASA listening on port 443.

 

Thanks for your help btw.

0 Helpful

Go to solution
jsf
Level 1
Level 1
In response to jsf

‎08-16-2018 01:11 PM

So no port blocking from the ISP, but the support technician didn't seem all that sure.

 

That being said, would setting up a simple port forward for one of local webservers be a good test to see if the ISP is blocking traffic?

 

If so, can you recommend a good guide on how to port forward 80 to specific machine on our network? 

 

Thank you,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-16-2018 01:18 PM

Here is an example of a static nat. You reference the private ip address in the ACL rule

 

object network SRV1
 host 192.168.10.5
 nat (i,o) static 1.1.1.10
access-list OUTSIDE->IN permit tcp any host 192.168.10.5 eq 80

 

Run a packet capture on the ASA and make sure you can actually see the traffic inbound.

 

HTH

Go to solution
jsf
Level 1
Level 1
In response to Rob Ingram

‎08-17-2018 09:43 AM

Hi RJI,

 

I managed to get port forwarding working with one of our local web servers and can access it from the outside world.  The command-line interface is definitely superior.  Still having VPN issues, but at least I know that the ISP is not port blocking.

 

I will find a guide to walk me a through VPN setup via CLI.  Do you have one you can recommend?

 

Thanks for all your help.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jsf

‎08-17-2018 09:59 AM

Hi,

Here is an example how to configure AnyConnect SSLVPN via CLI. If you've still got problems, upload the new configuration

 

HTH

Customers Also Viewed These Support Documents