Cisco ASA 5520: AnyConnect VPN users cannot connect to remote site

I recently switch from Site to Site EZVPN connection to a fiber connection for my remote site back to the home network and had some issues getting the route learned through EIGRP instead of that EZVPN site to site. Cisco ASA 5520: Issues removing EZVPN from the device.

Now that's all working, but now when users on our AnyConnect VPN try to access machines on that remote network they can't. When I connect to the vpn then try to ping the remote network, pings drop. When I traceroute it traces out to the internet like it doesn't recognize the route.

Packet tracer doesn't help because both ways I put the addresses in it says ALLOW. packet-tracer input inside icmp <VPN address> 8 0 <remote network switch address> and packet-tracer input inside icmp <remote network switch address> 8 0 <VPN address>. I even tried it using DMZ (since our VPN is in our DMZ) as the source and I still get allow both ways.

The main firewall is learning the route correctly as far as I can see: Firewall# sh eigrp topology | inc <remote network>
P <remote network> 255.255.255.0, 1 successors, FD is 3584
.

I'm not sure why it's not pinging out right. Any help is appreciated.
travisryanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

travisryanAuthor Commented:
If I run a sh ip route on the remote site's switch I can see my computer on VPN's IP address. But I can't ping it. And when I try to run a traceroute it hits my home location's switch but then stops there.
0
travisryanAuthor Commented:
Testing from another remote site that's been connected for a while, I can't ping back to a VPN address either but everything else works fine. I'm trying to devise a test to help me nail down what the issue is, i.e. use packet tracer with port 3389 since RDP seems to be the thing VPN from one remote site can do and the other can't. But packet tracer has been pretty useless on this front.
0
ArneLoviusCommented:
is the remote site subnet added to the AnyConnect cryptomap ?
0
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

harbor235Commented:
What IOS version are you running? I would look to make sure you are not NAT'ng the traffic flow between your VPN and the internal network. What do your no nat rules look like? or are you using policy NAT?


harbor235 ;}
0
travisryanAuthor Commented:
Arne, this site was originally connected via an MPLS (EIGRP learned I believe) connection. Then it was a site to site VPN. Now it's "directly" connected and learned via EIGRP. I'm not sure if something got taken out when I changed the connection from MPLS to Site to Site and needs to be added back in.
0
travisryanAuthor Commented:
harbor, ASA Version 9.1(3). As far as NAT-ing, not that I can see. As I said, all of the packet-tracer tests I've run are all successful.
0
travisryanAuthor Commented:
Found the solution, shows how long since I've had to deal with the AnyConnect VPN. I had to add the remote site back into my split tunnel acl. Thanks to everyone who's responded.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
travisryanAuthor Commented:
My solution worked.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.