Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
3
Replies

dACL causing RA VPN connection to fail

Go to solution
DannyDulin
Level 1
Level 1

‎10-03-2023 10:27 AM

When I attempt to connect via AnyConnect to VPN, I get through authentication, but the ASA never responds that connection is complete.

If I change the dACL to permit IP Any Any, the connection works just fine. However, as soon as I add any other lines in the dACL, the problem happens again. I understand that once I add a line, there is an implicit deny.

What I'm trying to discover here is:

1. Is there something I have to configure in the ASA connection profile (Tunnel-group) to make this work?

2. Is there a line I'm missing in the dACL?

3. Is there something in the Authorization Profile that I'm missing?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DannyDulin
Level 1
Level 1

‎10-04-2023 05:53 AM

Karsten Iwen wrote 

There are different limitations that can apply based on RADIUS and the switch-model:

  • The whole dACL can not exceed 4000 characters as it has to fit into one RADIUS packet.
  • up to 64 lines in a single dACL (you should have far less lines in practice).
  • The total amount of ACEs the switch can store in it's TCAM. That can range from only a few hundreds on the low end switches and a few thousands on the more expensive models. This can often be adjusted by choosing the right SDM-template.

https://community.cisco.com/t5/network-access-control/dacls-in-ise/td-p/2869666

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎10-03-2023 11:06 AM

@DannyDulin is the syntax of the DACL correct?

Turn on debugs and provide the output - debug aaa authorization

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1
In response to Rob Ingram

‎10-03-2023 12:00 PM

Thanks Rob.

I think I found the solution. There seems to be a size limit to the dACL. I systematically removed rules until it started to work. I had a lot of spacing and a lot of Remarks, when I adjusted everything connectivity started to work as expected.

 

0 Helpful

Go to solution
DannyDulin
Level 1
Level 1

‎10-04-2023 05:53 AM

Karsten Iwen wrote 

There are different limitations that can apply based on RADIUS and the switch-model:

  • The whole dACL can not exceed 4000 characters as it has to fit into one RADIUS packet.
  • up to 64 lines in a single dACL (you should have far less lines in practice).
  • The total amount of ACEs the switch can store in it's TCAM. That can range from only a few hundreds on the low end switches and a few thousands on the more expensive models. This can often be adjusted by choosing the right SDM-template.

https://community.cisco.com/t5/network-access-control/dacls-in-ise/td-p/2869666

0 Helpful
Customers Also Viewed These Support Documents