Remote-access Guide

cisco asa remote access vpn not passing traffic

by Timmothy Feil Sr. Published 2 years ago Updated 2 years ago
image

Cisco VPN Client Connects but no traffic will Pass If thats not the case, then make sure the subnet that the remote VPN clients are using, is not getting 'routed' somewhere other than back out of the firewall. Pete

Full Answer

Can Asa/Pix pass multicast traffic over IPSec VPN tunnels?

Note: Refer to IP Security Troubleshooting - Understanding and Using debug Commands to provide an explanation of common debug commands that are used to troubleshoot IPsec issues on both the Cisco IOS ® Software and PIX. Note: ASA/PIX will not pass multicast traffic over IPsec VPN tunnels.

How to use AnyConnect VPN with Asa?

The remote user will open a web browser, enters the IP address of the ASA and then it will automatically download the anyconnect VPN client and establishes the connection. Here’s the topology that we will use:

How to use clientless WebVPN with Asa?

The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, enter the IP address of the ASA and you will get access through a web portal. You only have limited access to a number of applications, for example: There is no full network access when you use clientless WebVPN.

Why is VPN not working on my Asa?

Note: When a problem exist with the connectivity, even phase 1 of VPN does not come up. On the ASA, if connectivity fails, the SA output is similar to this example, which indicates possibly an incorrect crypto peer configuration and/or incorrect ISAKMP proposal configuration:

What is site to site IPSEC VPN?

Can ASA create NAT negate rule?

About this website

image

How do I check my VPN traffic on ASA?

Hi, From the CLI use the command "show crypto ipsec sa" and confirm the encaps and decaps counters are increasing to confirm traffic is being sent/received over the VPN tunnel successfully. You can also use packet capture to confirm traffic is sent/received.

How do I troubleshoot IPsec VPN connectivity issues?

If tunnels are up but traffic is not passing through the tunnel:Check security policy and routing.Check for any devices upstream that perform port-and-address-translations. ... Apply debug packet filters, captures or logs, if necessary, to isolate the issue where the traffic is getting dropped.

Can Cisco ASA do route based VPN?

ASA supports route-based VPN with the use of Virtual Tunnel Interfaces (VTIs) in version 9.8 and later.

How do I allow VPN through Cisco firewall?

SolutionCreate a Static (One-To-One) NAT so that the ASA that has a private IP on its outside interface, (192.168. ... Allow UDP 500 (ISAKMP) from the ASA (1.1. ... Allow UDP 4500 (NAT-TRAVERSAL) from the ASA (1.1. ... Allow UDP 500 (ISAKMP) from the ASA (192.168. ... Allow UDP 4500 (NAT-TRAVERSAL) from the ASA (192.168.

How do I check my IPsec traffic?

In the GUI, a ping may be sent with a specific source as follows:Navigate to Diagnostics > Ping.Fill in the settings as follows: Host. Enter an IP address which is on the remote router within the remote subnet listed for the tunnel phase 2 (e.g. 10.5. 0.1 ) IP Protocol. ... Click Ping.

How do I check Cisco VPN tunnel status?

From the Wired Client, browse to http://dcloud.cisco.com/ to access the Cisco dCloud UI and then log in with your Cisco.com credentials. Use the Bandwidth Test to verify that the port needed for VPN connectivity (TCP 443) is not blocked at your site.

What is the difference between route-based and policy-based VPN?

In a policy-based VPN configuration, the action must be permit and must include a tunnel. Route-based VPNs support the exchange of dynamic routing information through VPN tunnels. You can enable an instance of a dynamic routing protocol, such as OSPF, on an st0 interface that is bound to a VPN tunnel.

What is route-based VPN?

A route-based VPN is a configuration in which an IPsec VPN tunnel created between two end points is referenced by a route that determines which traffic is sent through the tunnel based on a destination IP address.

What VPN types are supported by ASA?

For VPN Services, the ASA 5500 Series provides a complete remote-access VPN solution that supports numerous connectivity options, including Cisco VPN Client for IP Security (IPSec), Cisco Clientless SSL VPN, network-aware site-to-site VPN connectivity, and Cisco AnyConnect VPN client.

Does Cisco AnyConnect route all traffic?

With AnyConnect, the client passes traffic to all sites specified in the split tunneling policy you configured, and to all sites that fall within the same subnet as the IP address assigned by the ASA. For example, if the IP address assigned by the ASA is 10.1.

How do I configure IPsec on ASA firewall?

ProcedureTo set the connection type to IPsec LAN-to-LAN, enter the tunnel-group command. ... To set the authentication method to use a preshared key, enter the ipsec-attributes mode and then enter the ikev1pre-shared-key command to create the preshared key. ... Save your changes.

Does Cisco AnyConnect use IPsec or SSL?

Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN.

How do I know if IPSec is working?

There are three tests you can use to determine whether your IPSec is working correctly:Test your IPSec tunnel.Enable auditing for logon events and object access.Check the IP security monitor.

How do I fix the problem of Windows 10 not connecting to IPSec L2TP VPN servers?

How to FIX: Can't connect to VPN. L2TP connection between your computer and the VPN server could not be established on Windows 10.Ensure that the Required L2TP/IPsec Ports are enabled on VPN Server's side. ... Connect to VPN via another device or network. ... Delete and recreate the VPN connection.

Which log file should be used when troubleshooting IPSec site to site VPN connection problems?

Logs using IKEv2 for the key exchange.

What is VPN troubleshooting purpose?

VPNs use a point-to-point tunneling protocol to facilitate a secure and anonymous internet connection for you. Unless you have very significant security concerns, you do not need to know the technical details behind these protocols beyond the fact that changing the protocol can sometimes resolve connection issues.

IPSec tunnel up but passing no traffic - The Spiceworks Community

seen some odd things with IKE versions not auto negotiating (had to set IKE v1) between Pfsense & Checkpoint (& interestingly Sophos XG, which is I think the same IPSEC Stack as Pfsense) possibly worth checking even though this is Phase 1 so the tunnel shouldn't show as up (I can't remember if the tunnels showed as up or not) .

ASA Site to Site tunnel no transmit traffic for some subnets ... - Cisco

Solved: Hello, we have a really strange site to site tunnel issue on several ASAs. We are running VPN tunnels between a small site and three bigger ones. The small office has an ASA 5505, the other three ones are ASA 5510. One of the tunnels is

How can I reset a VPN tunnel on a Cisco ASA?

On a site-to-site VPN using a ASA 5520 and 5540, respectively, I noticed that from time to time traffic doesn't pass any more, sometimes just there's even missing traffic just for one specific traffic selection / ACL while other traffic over the same VPN is running.

How can I confirm that traffic is going over a l2l VPN tunnel?

This happens mostly due to routing or firewall blocking ESP issues. On the VPN end-point where encaps=0, verifiy that the routing is correct. The show command output reveals that packets are coming from the remote end, but this side does not know how to reach the other end.

Cisco IPSec Pass-through on ASA 5505 not working

I have been busting my brain for a few days not and I have so far not been able to figure out what the issue here is. The Problem: I am unable to establish a Client-to-ASA IPSec tunnel from behind

Why does my VPN have routing issues?

Note: The routing issue occurs if the pool of IP addresses assigned for the VPN clients are overlaps with internal networks of the head-end device. For further information, refer to the Overlapping Private Networks section .

Why is there no VPN tunnel?

If there is no indication that an IPsec VPN tunnel comes up at all, it possibly is due to the fact that ISAKMP has not been enabled. Be sure that you have enabled ISAKMP on your devices. Use one of these commands to enable ISAKMP on your devices:

What is ISAKMP Keepalives?

If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.

Why does IPSEC VPN have padding error?

The issue occurs because the IPSec VPN negotiates without a hashing algorithm. Packet hashing ensures integrity check for the ESP channel. Therefore, without hashing, malformed packets are accepted undetected by the Cisco ASA and it attempts to decrypt these packets. However, because these packets are malformed, the ASA finds flaws while decrypting the packet. This causes the padding error messages that are seen.

How to enable NAT-T on VPN?

Choose Configuration > Tunneling and Security > IPSEC > NAT Transparency > Enable: IPsec over NAT-T in order to enable NAT-T on the VPN Concentrator.

How to check if a VPN tunnel is established?

If the tunnel has been established, go to the Cisco VPN Client and choose Status > Route Details to check that the secured routes are shown for both the DMZ and INSIDE networks.

What is NAT-T on a Linksys router?

NAT-Traversal or NAT-T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys SOHO router. If NAT-T is not enabled, VPN Client users often appear to connect to the PIX or ASA without a problem, but they are unable to access the internal network behind the security appliance.

What is an ASA response?

The ASA generates a response to the IKE_AUTH message and prepares to authenticate itself to the client.

Why does ASA use Auth?

The ASA sends the AUTH payload in order to request user credentials from the client. The ASA sends the AUTH method as 'RSA,' so it sends its own certificate to the client, so the client can authenticate the ASA server.

Why does the client omit the Auth payload from message 3?

The client omits the AUTH payload from message 3 in order to indicate a desire to use extensible authentication. When Extensible Authentication Protocol (EAP) authentication is specified or implied by the client profile and the profile does not contain the <IKEIdentity> element, the client sends an ID_GROUP type IDi payload with the fixed string *$AnyConnectClient$*. The client initiates a connection to the ASA on port 4500.

Is EAP authentication allowed?

Authentication is done with EAP. Only a single EAP authentication method is allowed within an EAP conversation. The ASA receives the IKE_AUTH message from the client.

Problem

If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.

Option 2 Connect to the ASA Via ASDM – Version used here is 6.2. (5)

If you can find this in the ASDM post version 7 – You are better than me!

On a Firewall Running 8.3 (or Newer)

1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.

What happens when a VPN user terminates a session?

Normally when the remote VPN user terminates the session, the anyconnect installer will be uninstalled. The anyconnect keep-installer installed command leaves it installed on the user’s computer.

When remote users connect to our WebVPN, do they have to use HTTPS?

The following option is not required but useful, whenever someone accesses the ASA through HTTP then they will be redirected to HTTPS:

What happens when you have an inbound access list?

When you have an inbound access-list on the outside interface then all your decrypted traffic from the SSL WebVPN has to match the inbound access-list. You can either create some permit statements for the decrypted traffic or you can just tell the ASA to let this traffic bypass the access-list:

What is AnyConnect VPN?

Anyconnect is the replacement for the old Cisco VPN client and supports SSL and IKEv2 IPsec. When it comes to SSL, the ASA offers two SSL VPN modes: Clientless WebVPN. AnyConnect VPN. The clientless WebVPN method does not require a VPN client to be installed on the user’s computer. You just open your web browser, ...

Why does my client tries to download AnyConnect?

The client tries to download the Anyconnect automatically, this is because of the anyconnect ask none default anyconnect command that we used. Since we are using a self-signed certificate you will get the following error message:

What is the IP address of AnyConnect?

You can see that we received IP address 192.168.10.100 (the first IP address from the VPN pool). Anyconnect creates an additional interface, just like the legacy Cisco VPN client does.

What is an ayconnECT_policy?

The group policy is called “ANYCONNECT_POLICY” and it’s an internal group policy which means that we configure it locally on the ASA. An external group policy could be on a RADIUS server.

What is site to site IPSEC VPN?

Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P... view more

Can ASA create NAT negate rule?

No the ASA wont " automatically" create a NAT negate rule, you might want to NAT.

image

Introduction

  • This document describes how to understand debugs on the Cisco Adaptive Security Appliance (ASA) when Internet Key Exchange Version 2 (IKEv2) is used with a Cisco AnyConnect Secure Mobility Client. This document also provides information on how to translate certain debug lines in an ASA configuration. This document does not describe how to pass traf...
See more on cisco.com

Prerequisites

  • Requirements
    Cisco recommends that you have knowledge of the packet exchange for IKEv2. For more information, refer to IKEv2 Packet Exchange and Protocol Level Debugging.
  • Components Used
    The information in this document is based on these software and hardware versions: 1. Internet Key Exchange Version 2 (IKEv2) 2. Cisco Adaptive Security Appliance (ASA) Version 8.4 or later The information in this document was created from the devices in a specific lab environment. All …
See more on cisco.com

CORE Issue

  • The Cisco Technical Assistance Center (TAC) often uses IKE and IPSec debug commands in order to understand where there is a problem with IPSec VPN tunnel establishment, but the commands can be cryptic.
See more on cisco.com

Scenario

  • ASA Configuration
    This ASA configuration is strictly basic, with no use of external servers.
  • XML File
    Note: The UserGroup name in the XML client profile must be the same as the name of the tunnel-group on the ASA. Otherwise, the error message 'Invalid Host Entry. Please re-enter' is seen on the AnyConnect client.
See more on cisco.com

Debug Logs and Descriptions

  • Note: Logs from the Diagnostics and Reporting Tool (DART) are generally very chatty, so certain DART logs have been omitted in this example due to insignificance.
See more on cisco.com

Tunnel Verification

  • AnyConnect
    Sample output from the show vpn-sessiondb detail anyconnectcommand is:
  • ISAKMP
    Sample output from the show crypto ikev2 sacommand is: Sample output from the show crypto ikev2 sa detailcommand is:
See more on cisco.com

Related Information

Problem

Image
If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related. In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO N…
See more on petenetlive.com

Solution

  • Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running. Option 1 Connect to the ASAVia Command Line. Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.
See more on petenetlive.com

on 2 Connect to The Asa Via ASDM – Version Used Here Is 6.2.

  • If you can find this in the ASDM post version 7 – You are better than me! Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSecover NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash. I’ve done that and its still not working?
See more on petenetlive.com

A Firewall Running 8.3

  • 1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static(the remote VPN network). I’ve highlighted it below. 2. Make sure the correct network(s) are in the correct groups. 3. Also make sure you don’t have any legacy nat rules breaking things. On a Firewall Older th...
See more on petenetlive.com

Bug

  • Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR modu…
See more on petenetlive.com

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9