Solved

Cisco ASA 5520: AnyConnect VPN users cannot connect to remote site

Posted on 2016-08-22
8
25 Views
Last Modified: 2016-08-28
I recently switch from Site to Site EZVPN connection to a fiber connection for my remote site back to the home network and had some issues getting the route learned through EIGRP instead of that EZVPN site to site. Cisco ASA 5520: Issues removing EZVPN from the device.

Now that's all working, but now when users on our AnyConnect VPN try to access machines on that remote network they can't. When I connect to the vpn then try to ping the remote network, pings drop. When I traceroute it traces out to the internet like it doesn't recognize the route.

Packet tracer doesn't help because both ways I put the addresses in it says ALLOW. packet-tracer input inside icmp <VPN address> 8 0 <remote network switch address> and packet-tracer input inside icmp <remote network switch address> 8 0 <VPN address>. I even tried it using DMZ (since our VPN is in our DMZ) as the source and I still get allow both ways.

The main firewall is learning the route correctly as far as I can see: Firewall# sh eigrp topology | inc <remote network>
P <remote network> 255.255.255.0, 1 successors, FD is 3584
.

I'm not sure why it's not pinging out right. Any help is appreciated.
0
Comment
Question by:travisryan
  • 6
8 Comments
 

Author Comment

by:travisryan
ID: 41765862
If I run a sh ip route on the remote site's switch I can see my computer on VPN's IP address. But I can't ping it. And when I try to run a traceroute it hits my home location's switch but then stops there.
0
 

Author Comment

by:travisryan
ID: 41765975
Testing from another remote site that's been connected for a while, I can't ping back to a VPN address either but everything else works fine. I'm trying to devise a test to help me nail down what the issue is, i.e. use packet tracer with port 3389 since RDP seems to be the thing VPN from one remote site can do and the other can't. But packet tracer has been pretty useless on this front.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 41766642
is the remote site subnet added to the AnyConnect cryptomap ?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 41766857
What IOS version are you running? I would look to make sure you are not NAT'ng the traffic flow between your VPN and the internal network. What do your no nat rules look like? or are you using policy NAT?


harbor235 ;}
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:travisryan
ID: 41767439
Arne, this site was originally connected via an MPLS (EIGRP learned I believe) connection. Then it was a site to site VPN. Now it's "directly" connected and learned via EIGRP. I'm not sure if something got taken out when I changed the connection from MPLS to Site to Site and needs to be added back in.
0
 

Author Comment

by:travisryan
ID: 41767456
harbor, ASA Version 9.1(3). As far as NAT-ing, not that I can see. As I said, all of the packet-tracer tests I've run are all successful.
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41767760
Found the solution, shows how long since I've had to deal with the AnyConnect VPN. I had to add the remote site back into my split tunnel acl. Thanks to everyone who's responded.
0
 

Author Closing Comment

by:travisryan
ID: 41773589
My solution worked.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now