Weird VPN Issue

stephen.ellis2 · ‎12-05-2012

Hi Everyone

ASA: 8.2(1)11

I have a really weird issue. We have IPSec client VPN profiles ProfileA and ProfileB. ProfileA is for ITSupport and ProfileB is for general users the only difference is that we are allowing the IT Support to access a /16 network in addition to the subnets which the standard user profile is allowed to get to. The clients receive IP addresses from the pools as below:

ip local pool ProfileA 10.10.100.1-10.10.100.60 mask 255.255.255.192

ip local pool ProfileB 10.10.101.1-10.10.101.254 mask 255.255.255.0

When a user uses the standard user profile ProfileB, they are able to connect and ping/rdp onto everything they need to get onto.

When the first user connects using the ITSupport user profile ProfileA, they receive the IP address of 10.10.100.1. Using this address they are unable to access anything on the network. The next user who connects receives the IP address of 10.10.100.2 and can access everything on the network.

I have looked at everything, NAT/Access Lists etc. etc. The eventual fix I found was if I changed the starting IP address for the local pool ProfileA to 10.10.100.2 all users connecting received access to everything.

Can anyone explain why this is?

Many thanks in advance.

Stephen

Jouni Forss · ‎12-05-2012

Hi,

Can't say I have ever run into this. Our VPN pools are always /24 and starting IP is .10

Just wondering if you have monitored the situation with the .1 IP address from both the VPN Client software and the ASA?

Can you see any connection forming messages on the ASA logs when the client is forming connections to LAN with the IP .1?

If you cant see them can you confirm from the VPN Client counters that the encrypted counter is increasing while you are attempting connections? (Though there is probably naturally other traffic unless you have Split tunnel configured instead of Full tunnel)

- Jouni