• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 89
  • Last Modified:

Cisco ASA 5520: AnyConnect VPN users cannot connect to remote site

I recently switch from Site to Site EZVPN connection to a fiber connection for my remote site back to the home network and had some issues getting the route learned through EIGRP instead of that EZVPN site to site. Cisco ASA 5520: Issues removing EZVPN from the device.

Now that's all working, but now when users on our AnyConnect VPN try to access machines on that remote network they can't. When I connect to the vpn then try to ping the remote network, pings drop. When I traceroute it traces out to the internet like it doesn't recognize the route.

Packet tracer doesn't help because both ways I put the addresses in it says ALLOW. packet-tracer input inside icmp <VPN address> 8 0 <remote network switch address> and packet-tracer input inside icmp <remote network switch address> 8 0 <VPN address>. I even tried it using DMZ (since our VPN is in our DMZ) as the source and I still get allow both ways.

The main firewall is learning the route correctly as far as I can see: Firewall# sh eigrp topology | inc <remote network>
P <remote network> 255.255.255.0, 1 successors, FD is 3584
.

I'm not sure why it's not pinging out right. Any help is appreciated.
0
travisryan
Asked:
travisryan
  • 6
1 Solution
 
travisryanAuthor Commented:
If I run a sh ip route on the remote site's switch I can see my computer on VPN's IP address. But I can't ping it. And when I try to run a traceroute it hits my home location's switch but then stops there.
0
 
travisryanAuthor Commented:
Testing from another remote site that's been connected for a while, I can't ping back to a VPN address either but everything else works fine. I'm trying to devise a test to help me nail down what the issue is, i.e. use packet tracer with port 3389 since RDP seems to be the thing VPN from one remote site can do and the other can't. But packet tracer has been pretty useless on this front.
0
 
ArneLoviusCommented:
is the remote site subnet added to the AnyConnect cryptomap ?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
harbor235Commented:
What IOS version are you running? I would look to make sure you are not NAT'ng the traffic flow between your VPN and the internal network. What do your no nat rules look like? or are you using policy NAT?


harbor235 ;}
0
 
travisryanAuthor Commented:
Arne, this site was originally connected via an MPLS (EIGRP learned I believe) connection. Then it was a site to site VPN. Now it's "directly" connected and learned via EIGRP. I'm not sure if something got taken out when I changed the connection from MPLS to Site to Site and needs to be added back in.
0
 
travisryanAuthor Commented:
harbor, ASA Version 9.1(3). As far as NAT-ing, not that I can see. As I said, all of the packet-tracer tests I've run are all successful.
0
 
travisryanAuthor Commented:
Found the solution, shows how long since I've had to deal with the AnyConnect VPN. I had to add the remote site back into my split tunnel acl. Thanks to everyone who's responded.
0
 
travisryanAuthor Commented:
My solution worked.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now