Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5520: AnyConnect VPN users cannot connect to remote site

Posted on 2016-08-22
8
Medium Priority
?
65 Views
Last Modified: 2016-08-28
I recently switch from Site to Site EZVPN connection to a fiber connection for my remote site back to the home network and had some issues getting the route learned through EIGRP instead of that EZVPN site to site. Cisco ASA 5520: Issues removing EZVPN from the device.

Now that's all working, but now when users on our AnyConnect VPN try to access machines on that remote network they can't. When I connect to the vpn then try to ping the remote network, pings drop. When I traceroute it traces out to the internet like it doesn't recognize the route.

Packet tracer doesn't help because both ways I put the addresses in it says ALLOW. packet-tracer input inside icmp <VPN address> 8 0 <remote network switch address> and packet-tracer input inside icmp <remote network switch address> 8 0 <VPN address>. I even tried it using DMZ (since our VPN is in our DMZ) as the source and I still get allow both ways.

The main firewall is learning the route correctly as far as I can see: Firewall# sh eigrp topology | inc <remote network>
P <remote network> 255.255.255.0, 1 successors, FD is 3584
.

I'm not sure why it's not pinging out right. Any help is appreciated.
0
Comment
Question by:travisryan
  • 6
8 Comments
 

Author Comment

by:travisryan
ID: 41765862
If I run a sh ip route on the remote site's switch I can see my computer on VPN's IP address. But I can't ping it. And when I try to run a traceroute it hits my home location's switch but then stops there.
0
 

Author Comment

by:travisryan
ID: 41765975
Testing from another remote site that's been connected for a while, I can't ping back to a VPN address either but everything else works fine. I'm trying to devise a test to help me nail down what the issue is, i.e. use packet tracer with port 3389 since RDP seems to be the thing VPN from one remote site can do and the other can't. But packet tracer has been pretty useless on this front.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 41766642
is the remote site subnet added to the AnyConnect cryptomap ?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 32

Expert Comment

by:harbor235
ID: 41766857
What IOS version are you running? I would look to make sure you are not NAT'ng the traffic flow between your VPN and the internal network. What do your no nat rules look like? or are you using policy NAT?


harbor235 ;}
0
 

Author Comment

by:travisryan
ID: 41767439
Arne, this site was originally connected via an MPLS (EIGRP learned I believe) connection. Then it was a site to site VPN. Now it's "directly" connected and learned via EIGRP. I'm not sure if something got taken out when I changed the connection from MPLS to Site to Site and needs to be added back in.
0
 

Author Comment

by:travisryan
ID: 41767456
harbor, ASA Version 9.1(3). As far as NAT-ing, not that I can see. As I said, all of the packet-tracer tests I've run are all successful.
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41767760
Found the solution, shows how long since I've had to deal with the AnyConnect VPN. I had to add the remote site back into my split tunnel acl. Thanks to everyone who's responded.
0
 

Author Closing Comment

by:travisryan
ID: 41773589
My solution worked.
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question