[c-nsp] ASA5512x VPN route issue

Lee Starnes lee.t.starnes at gmail.com
Mon Jun 30 17:22:36 EDT 2014


Hello,

We just setup a new ASA 5512x running v9.1(2). We have about 30 remote
Anyconnect SSL vpns and an IPSec tunnel to a remote LAN. We have been able
to get all the VPN connections up and passing traffic such that remote VPNs
can reach the LOCAL LAN The LOCAL LAN can reach the REMOTE LAN, THE VPNs
can get Internet access via NAT. The one thing we can't seem to get working
is the VPNs to reach the REMOTE LAN. The REMOTE LAN does know about these
IP blocks. Doing a packet-tracer, It hangs on the following.

Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fffa08adb40, priority=70, domain=svc-ib-tunnel-flow, deny=false
        hits=450, user_data=0x39000, cs_id=0x0, reverse, flags=0x0,
protocol=0
        src ip/id=192.168.95.7, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


VPN clients are in 192.168.95.0/24
LAN is on 10.158.95.0/24
REMOTE LAN is on 10.158.58.0/24

VPN clients are setup to tunnel all traffic.

Any idea where to look to resolve this one issue?


-Lee


More information about the cisco-nsp mailing list