abdullahjamali
asked on
After connecting Cisco Anyconnect VPN internet has stopped working on local pc & VPN disconnects couple of times too
Hi Experts,
I have upgraded ASA5505 software from 8.2 version to 9.1(7)6, ASDM version 7.6(1) has been installed as well.
I have configured remote access VPN with split tunnel for tele workers that can connect to work place with Cisco Anyconnect 3.1 vpn software, after connecting I can ping / access internal network but internet on my laptop has stopped working. The OS on my laptop is windows 10, I have also tested with windows 7 OS pc but the results are same. when I connect 2 machines to VPN they both connects perfectly fine but after sometime 1 of them stop working, status still shows connected but the statistics are unchanged.
Can someone help me to fix this issue.
Please find attached the output of sh version.
ASA-Version-Details.txt
I have upgraded ASA5505 software from 8.2 version to 9.1(7)6, ASDM version 7.6(1) has been installed as well.
I have configured remote access VPN with split tunnel for tele workers that can connect to work place with Cisco Anyconnect 3.1 vpn software, after connecting I can ping / access internal network but internet on my laptop has stopped working. The OS on my laptop is windows 10, I have also tested with windows 7 OS pc but the results are same. when I connect 2 machines to VPN they both connects perfectly fine but after sometime 1 of them stop working, status still shows connected but the statistics are unchanged.
Can someone help me to fix this issue.
Please find attached the output of sh version.
ASA-Version-Details.txt
ASKER
Hi Ian,
Thanks a lot for you reply.
Please find attached requested results of ping, tracert and route print after connecting to VPN.
I've also attached the results of sh vpn-sessiondb command output with different switches, if you can check the license command output it says anyconnect premium capacity is 25, installed 2 and usage is 50% is that something related to licensing? number of user's that will connect to this firewall will be between 10 - 15.
Please let me know what it is exactly as it seems to me the only reason of freezing 2nd pc's vpn connection that I have experienced yesterday, but if you check sh version command output there it is also clearly mentioned anyconnect premium peers are 2.
once again thanks for your reply.
Regards,
Qaiser Azad
No-browsing-after-VPN-Connection.png
ping-4.2.2.2-after-VPN-Connection.png
sh-vpn-sessiondb-command-outputs.txt
Ping--Route-Print-and-Tracert-to-4.2.txt
Thanks a lot for you reply.
Please find attached requested results of ping, tracert and route print after connecting to VPN.
I've also attached the results of sh vpn-sessiondb command output with different switches, if you can check the license command output it says anyconnect premium capacity is 25, installed 2 and usage is 50% is that something related to licensing? number of user's that will connect to this firewall will be between 10 - 15.
Please let me know what it is exactly as it seems to me the only reason of freezing 2nd pc's vpn connection that I have experienced yesterday, but if you check sh version command output there it is also clearly mentioned anyconnect premium peers are 2.
once again thanks for your reply.
Regards,
Qaiser Azad
No-browsing-after-VPN-Connection.png
ping-4.2.2.2-after-VPN-Connection.png
sh-vpn-sessiondb-command-outputs.txt
Ping--Route-Print-and-Tracert-to-4.2.txt
Hi There,
I see the below default routes in the route print after you connect to the VPN.
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.20 10
0.0.0.0 0.0.0.0 192.168.5.2 192.168.5.1 2 (Preferred)
Ideally, SPLIT VPN means you would need your internet traffic to be router via the local internet and not the remote office internet.
Kindly share the configuration done on the Remote office location ASA since that would be the peer that you connect to via Remote VPN.
I see the below default routes in the route print after you connect to the VPN.
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.20 10
0.0.0.0 0.0.0.0 192.168.5.2 192.168.5.1 2 (Preferred)
Ideally, SPLIT VPN means you would need your internet traffic to be router via the local internet and not the remote office internet.
Kindly share the configuration done on the Remote office location ASA since that would be the peer that you connect to via Remote VPN.
ASKER
Hi Ian,
Thanks for your reply.
Please find attached requested configuration of ASA.
Regards,
ASA-Running-Config.txt
Thanks for your reply.
Please find attached requested configuration of ASA.
Regards,
ASA-Running-Config.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Cheever,
Thanks for your reply.
so we have to install anyconnect premium/ essential licenses for remote users.
what configuration needed to enable split-tunnelling, this VPN has been setup through vpn wizard and at that time split-tunnel option was selected as well.
It will be great help to me if you can guide me about the configuration that is needed.
Thanks in advance.
Regards,
Qaiser Azad
Thanks for your reply.
so we have to install anyconnect premium/ essential licenses for remote users.
what configuration needed to enable split-tunnelling, this VPN has been setup through vpn wizard and at that time split-tunnel option was selected as well.
It will be great help to me if you can guide me about the configuration that is needed.
Thanks in advance.
Regards,
Qaiser Azad
you can generate a trial license with any cco account at cisco.com/go/licensing
- You will need to contact a reseller to get the license, I think you can still pick up essentials, it is fairly cheap for this model, under 100 dollars usually.
Split tunneling is configured under the group policy you can do in the ASDM I can't really direct you there but I can give you the CLI. I am assuming that you need access to the 192.168.0.0/24 only so that is in my example you can add as many lines as needed.
From the command line
access-list split_tunnel standard permit X.X.X.X Y.Y.Y.Y
etc add the lines you need
access-list split_tunnel standard permit 192.168.0.0 255.255.255.0
group-policy GroupPolicy_KitelakeTest attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
- You will need to contact a reseller to get the license, I think you can still pick up essentials, it is fairly cheap for this model, under 100 dollars usually.
Split tunneling is configured under the group policy you can do in the ASDM I can't really direct you there but I can give you the CLI. I am assuming that you need access to the 192.168.0.0/24 only so that is in my example you can add as many lines as needed.
From the command line
access-list split_tunnel standard permit X.X.X.X Y.Y.Y.Y
etc add the lines you need
access-list split_tunnel standard permit 192.168.0.0 255.255.255.0
group-policy GroupPolicy_KitelakeTest attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi there,
kindly confirm if you have executed the config mentioned by the experts.
The SPLIT tunnelling part was an issue with your current config.
kindly confirm if you have executed the config mentioned by the experts.
The SPLIT tunnelling part was an issue with your current config.
Kindly share the error that is observed while accessing web page once you connect to the VPN.
Could you post the route print and trace to internet IP (4.2.2.2) once you connect to the VPN?