Once connected to Cisco AnyConnect I can't ping anything on the network

I can connect to anyconnect just fine, but once connected, I cannot ping anything on the network.  I'm pretty sure split tunneling is cofigured correctly.  Any ideas?  Thanks.
Who is Participating?
TG TranIT guyCommented:
Do you have this command in your Cisco VPN device to allow ICMP?
access-list <access-list name> extended permit icmp any any
Can be several things, depending on your configuration. Pasting your config would help to find out.
Some checks though:
- On the anyconnect client you can see if split tunnelling is really in effect.
- You can check the byte RX and TX count in either asdm or by the command:
show vpn-sessiondb svc
- are you allowing vpn connections by default through superseeding any access-lists:
sh run all sysopt
check if the sysopt connection permit-vpn is there
- are nat excempts in place?
Istvan KalmarHead of IT Security Division Commented:
Please show the config
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

denver218Author Commented:
For some reason, I created another DHCP Pool and it starting working.  All is working now.  Thanks.
I had the same problem; pulled my hair out double and triple checking config.  I had Anyconnect vpn client connecting to cisco router webvpn ok, but could only ping the webvpn ip address from client side and client assigned address from cisco router side; could not ping anything else on inside network.  

Turns out I had the dhcp pool for the vpn clients in the same subnet as my ethernet interface fe0/1 (client dhcp pool - For some reason this won't route correctly.  I changed client dhcp pool to - and all is working great now.
I would like to see the config too for reference. Having the same problem.
denver218Author Commented:
Hey guys here's my working config.  Like gilley001 said I had to create a dhcp pool on a different subnet.  Below are the configurations:

ASA Version 8.2(2)
hostname ASA5510
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.67
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 no nameif
 no security-level
 no ip address
ftp mode passive
clock timezone est -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name lvbh.org
object-group network DM_INLINE_NETWORK_1
access-list outside_cryptomap extended permit ip objec
access-list nonat extended permit ip 255.
access-list nonat extended permit ip 255.255.
access-list nonat extended permit ip 255.255
access-list nonat extended permit ip 255.2
access-list nonat extended permit ip 255.
access-list 100 remark IT DEPT PC Anywhere Access
access-list 100 extended permit tcp x.x.x.128 any eq pcanywhere-data
access-list 100 remark IT DEPTs PC Anywhere Access
access-list 100 extended permit udp x.x.x.128 any eq pcanywhere-status
access-list 100 remark WWW Access to Care Tracker
access-list 100 extended permit tcp any host x.x.x.70 eq www
access-list 100 remark SMTP Access to Astaro Security Gateway
access-list 100 extended permit tcp any host x.x.x.72 eq smtp
access-list 100 remark Astaro Technical Support
access-list 100 extended permit tcp host x.x.231.66 host x.x.x.72 eq ssh
access-list 100 remark Astaro Technical Support
access-list 100 extended permit tcp host x.x.231.66 host x.x.x.72 eq 4444
access-list 100 remark ICMP
access-list 100 extended permit icmp any any
access-list 100 remark OWA/Active Sync
access-list 100 extended permit tcp any host x.x.x.68 eq www
access-list 100 remark OWA/ActiveSync for Exchange 2003
access-list 100 extended permit tcp any host x.x.x.68 eq 7500
access-list inside_access_in remark access inside
access-list inside_access_in extended permit ip any any
access-list split-tunnel standard permit
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip local pool newvpn
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1
static (inside,outside) x.x.x.68 netmask
static (inside,outside) x.x.x.70 netmask
static (inside,outside) x.x.x.72 netmask
static (inside,outside) x.x.x.71 netmask
access-group 100 in interface outside
access-group inside_access_in in interface inside
route outside x.x.x.66 10
route inside 1
route inside x.x.x.0 1
route inside x.x.x.0 1
route inside x.x.x.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer x.x.x.135
crypto map outside_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet inside
telnet inside
telnet timeout 5
ssh outside
ssh inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
 enable outside
 enable inside
 svc image disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy clientgroup internal
group-policy clientgroup attributes
 dns-server value
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
  svc keep-installer installed
  svc rekey method ssl
  svc ask none default svc
username Remoteuser1 password fACU5JyPT3rejR/3 encrypted
username Remoteuser2 password GKv1147IFRfgJ2CI encrypted
username Remoteuser3 password jSLASOGInnn5Ae/a encrypted
username admin password 3USUcOPFUiMCO4Jk encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool AnyConnect_DHCP_Pool
 default-group-policy clientgroup
tunnel-group x.x.x.135 type ipsec-l2l
tunnel-group x.x.x.135 ipsec-attributes
 pre-shared-key *****
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
 address-pool newvpn
 default-group-policy clientgroup
tunnel-group sslgroup webvpn-attributes
 group-alias sslgroup_users enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
service-policy global_policy global
prompt hostname context
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.