Solved

Cisco ASA 5520: AnyConnect VPN users cannot connect to remote site

Posted on 2016-08-22
8
30 Views
Last Modified: 2016-08-28
I recently switch from Site to Site EZVPN connection to a fiber connection for my remote site back to the home network and had some issues getting the route learned through EIGRP instead of that EZVPN site to site. Cisco ASA 5520: Issues removing EZVPN from the device.

Now that's all working, but now when users on our AnyConnect VPN try to access machines on that remote network they can't. When I connect to the vpn then try to ping the remote network, pings drop. When I traceroute it traces out to the internet like it doesn't recognize the route.

Packet tracer doesn't help because both ways I put the addresses in it says ALLOW. packet-tracer input inside icmp <VPN address> 8 0 <remote network switch address> and packet-tracer input inside icmp <remote network switch address> 8 0 <VPN address>. I even tried it using DMZ (since our VPN is in our DMZ) as the source and I still get allow both ways.

The main firewall is learning the route correctly as far as I can see: Firewall# sh eigrp topology | inc <remote network>
P <remote network> 255.255.255.0, 1 successors, FD is 3584
.

I'm not sure why it's not pinging out right. Any help is appreciated.
0
Comment
Question by:travisryan
  • 6
8 Comments
 

Author Comment

by:travisryan
ID: 41765862
If I run a sh ip route on the remote site's switch I can see my computer on VPN's IP address. But I can't ping it. And when I try to run a traceroute it hits my home location's switch but then stops there.
0
 

Author Comment

by:travisryan
ID: 41765975
Testing from another remote site that's been connected for a while, I can't ping back to a VPN address either but everything else works fine. I'm trying to devise a test to help me nail down what the issue is, i.e. use packet tracer with port 3389 since RDP seems to be the thing VPN from one remote site can do and the other can't. But packet tracer has been pretty useless on this front.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41766642
is the remote site subnet added to the AnyConnect cryptomap ?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 41766857
What IOS version are you running? I would look to make sure you are not NAT'ng the traffic flow between your VPN and the internal network. What do your no nat rules look like? or are you using policy NAT?


harbor235 ;}
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:travisryan
ID: 41767439
Arne, this site was originally connected via an MPLS (EIGRP learned I believe) connection. Then it was a site to site VPN. Now it's "directly" connected and learned via EIGRP. I'm not sure if something got taken out when I changed the connection from MPLS to Site to Site and needs to be added back in.
0
 

Author Comment

by:travisryan
ID: 41767456
harbor, ASA Version 9.1(3). As far as NAT-ing, not that I can see. As I said, all of the packet-tracer tests I've run are all successful.
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41767760
Found the solution, shows how long since I've had to deal with the AnyConnect VPN. I had to add the remote site back into my split tunnel acl. Thanks to everyone who's responded.
0
 

Author Closing Comment

by:travisryan
ID: 41773589
My solution worked.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS 2008 cannot logon remotely 7 47
cradle point vpn to sonicwall 5 49
How to configure this IP Address to my firewall 15 86
Connecting to CISCO 4402 WLC 3 11
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now