After upgrading our ASAs from 9.1(1) to newer versions, users were no longer able to connect using native IPsec VPN client software when inside of an office network. From outside networks it still worked just fine.
The office networks have established VPN tunnels covering the IP range that the user's system falls under, but the workflow is to VPN in to gain access to restricted resources.
We verified that disconnecting the LAN to LAN IPsec tunnel to the office allowed the client to connect in successfully.
When debugging the connection attempt's IKE and IPsec, a log entry shows why this is failing:
Skipping dynamic map OUTSIDE_DYN_MAP sequence 100: cannot match peerless map when peer found in previous map entry.
That log entry led to several reports of this issue (1, 2) with information clarifying that this behavior was introduced as a security fix in CSCuc75090, but no real functional workarounds – just recommendations to use the established tunnel or NAT the users to a different address than the tunnel peering is happening over.
Is there an effective workaround to allow for client VPN from these locations again?
Best Answer
Yes, the device can be instructed to accept the client VPN connections from the peer that it already has an open tunnel with.
This is done by updating the dynamic map to include new entries with a configured peer address.
So, with this existing configuration accepting a dynamic connection from any address:
..the dynamic map can be edited to allow client VPN connections from the
192.0.2.15peer:..and client IPsec connections will now be allowed from
192.0.2.15despite having an active LAN to LAN tunnel.