Vpn – ASA 5510 AnyConnect SSL VPN to Windows 3.1 client – connected but no traffic routed

cisco-anyconnectcisco-asasslvpnvpn

ASA version 9.1 configured with SSL VPN to Windows AnyConnect Secure Mobility Client version 3.1. VPN Filter ACL is configured to allow all traffic and ICMP, and is attached to group policy.

Problem:

VPN connects successfully (AnyConnect client says "connected") but cannot route any traffic over the VPN. Cannot ping any internal host behind the ASA,

Observations:

Internal network (behind ASA): 10.111.11.0/24
Network on client computer: 192.168.1.0/24 (sits behind another ASA – that is not relevant though because doesn't work on other n/w having no ASA firewall either)

ASDM reports one AnyConnect session active on the ASA. Reports also that the above ACL is going to be used. The first rule of that ACL (see below config) got 1900 hits so traffic arrives but seems to not find its way back? VPN ACLs are meant to automatically be bidirectional so it SHOULD work.

On the Windows client computer I can see a Cisco network adapter has been created when the VPN connects with IP address 192.168.20.1. Network configuration claims that 192.168.20.2 is the default gateway, which should be the ASA – but I cannot ping 192.168.20.2.
A "route print" on the client computer shows 192.168.20.2 to be the default gateway as well.
(These addresses are valid – they are assigned from local pool RemoteWorkerPool 192.168.20.1-192.168.20.254, see below config).

I cannot ping the client IP address (192.168.20.1) from within the ASA (does the AnyConnect client respond to the ping usually?)

Running a "show vpn-sessiondb detail svc filter name " command shows "Filter name: RemoteVPNACL" in the SSL section, which fits to my configuration – the ACL is being used.

SSL Ciphers:

A "show ssl" command brings up the following:

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
  outside interface: TrustPoint1
  NP Identity Ifc interface:
Certificate authentication is not enabled

This also seems okay – I use username / password authentication. I could not find anything in Cisco documentation that the 3.1 client would not work with ASA version 9.1, but it's not 100% clear.

Solution Attempts:

Configuration was originally created by ASDM wizard and resulted in this problem. Have re-created the configuration plainly from CLI, same result.

Connected the Windows client to another internet connection which is not behind any firewall. Same result – VPN connects but no traffic can flow.

Have configured IPSec VPN for AnyConnect on top of this configuration – same result, I get a connection, but no traffic flows.

The Cisco VPN troubleshooter did not give me any useful hint.

I am sure there is a very basic error somehwere, but cannot find it. I am lacking knowledge on how one goes about debugging or troubleshooting AnyConnect VPN connections apart from above.

Configuration (relevant parts):


crypto key generate rsa label RSA_KEYPAIR noconfirm

crypto ca trustpoint TrustPoint1
   revocation-check none
   id-usage ssl-ipsec
   no fqdn
   subject-name CN=ASA
   enrollment self
   keypair RSA_KEYPAIR

crypto ca enroll TrustPoint1 noconfirm
ssl trust-point TrustPoint1 outside

ip local pool RemoteWorkerPool 192.168.20.1-192.168.20.254

sysopt connection permit-vpn 

access-list RemoteVPNACL permit ip 192.168.20.0 255.255.255.0 any 
access-list RemoteVPNACL permit icmp 192.168.20.0 255.255.255.0 any 

group-policy RemoteWorkerPolicy internal
group-policy RemoteWorkerPolicy attributes
  vpn-tunnel-protocol ssl-client
  address-pools value RemoteWorkerPool
  vpn-filter value RemoteVPNACL
  dns-server value 10.111.11.5
  vpn-idle-timeout 30

username nepclientvpn password xxxxxxxxxxxxx
username nepclientvpn attributes
  vpn-group-policy RemoteWorkerPolicy

tunnel-group vpnclient type remote-access   

tunnel-group vpnclient general-attributes
  address-pool RemoteWorkerPool
  default-group-policy RemoteWorkerPolicy

tunnel-group vpnclient webvpn-attributes
  group-alias nepRemote1 enable 

webvpn
  tunnel-group-list enable 
  anyconnect image disk0:/anyconnect-win-3.1.05182-k9.pkg 1
  anyconnect image disk0:/anyconnect-macosx-i386-3.1.05160-k9.pkg 2
  enable outside
  anyconnect enable

Best Answer

If both sides indicate that there is a security association established, then it's like the encryption is working and there is some other problem.

One thing to check out is what is the default gateway for the machines that are on the LAN and do they have a way to route packets to 192.168.1.0/24.

Related Solutions

Cisco – Migrating from PIX/VPN 3000 to ASA

Regarding question 1 on mobile device licensing

Per your comment below, I did a couple tests on our ASA5525-X which has Essentials/Mobile licenses. I was indeed able to limit access using Dynamic Access Policies. I setup a test policy allowing only iOS devices on iPad2,7 models to connect in a new policy. Then I setup the default policy to terminate sessions. This worked and allowed my Verizon iPad Mini to connect but not my iPhone. Here is the license breakdown:

Session Type: AnyConnect

Username     : <user>                 Index        : 40
Assigned IP  : 10.10.121.1            Public IP    : 70.194.2.165
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials, AnyConnect for Mobile
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 3200                   Bytes Rx     : 940
Group Policy : anyconnect-split-policy
Tunnel Group : anyconnect-split-group
Login Time   : 11:46:24 EDT Fri Jun 7 2013
Duration     : 0h:01m:52s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Note: When configuring these settings, if you don't have the "Apply" button highlight afterwards, you will need to do something in ASDM that will activate the button and allow you to click it. None of the DAP settings for AnyConnect specifics would apply automatically nor trigger the Apply button so I could apply the settings. I had to go modify another setting, click apply, modify the setting back, click apply. This was using ASDM 7.1 on a 9.1.2 ASA5525-X.

Regarding question 2 on the licensing:

There are no client-side licensing options that I am aware of. The only license not necessarily tied to the ASA directly is the AnyConnect Premium which may be pulled off of a "server" ASA with a pool of session licenses for multiple "client" ASAs. In the end, they're applied to an ASA still.

Source:http://www.cisco.com/en/US/docs/security/asa/asa91/license/license_management/license.html

Cisco ASA AnyConnect – Authenticate using RSA token, Assign policy based on AD Group

My understanding is that when using the SDI protocol for RSA integration, you cannot pass group/class info. However, if you reach the RSA server using RADIUS, then the RSA server can be configured to return a RADIUS Class attribute of the format "OU=group-policy-name;" which is then used to match a group-policy name in the ASA config. I've done it this way with another customer. For example:

aaa-server RSA protocol radius
aaa-server RSA (inside) host 10.1.1.50
 key *****
 authentication-port 1812
 accounting-port 1813

Then, you would have a group-policy that fails closed (I usually call it "NOACCESS") that sets "vpn-simultaneous-logins" to 0 which drops the connection, like so:

group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0

You would then have one or more group-policies that describe your VPN users and override the "vpn-simultaneous-logins" value with a non-zero value (I usually set it back to the default value of 3), like this:

group-policy Users internal
group-policy Users attributes
 vpn-simultaneous-logins 3
 <other VPN policy settings go here>

Finally, your tunnel-group would be set to use the RSA server (via RADIUS) for the authentication server, and then the default group policy is set to the "NOACCESS" group to force the group to fail closed if the RADIUS Class value isn't returned:

tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
 authentication-server-group RSA
 default-group-policy NOACCESS

The important notes with this solution are:

The Class attribute returned by RADIUS must be (without quotes, note the very important semi-colon) "OU=group-policy-name;"
The "group-policy-name" returned in the Class attribute must be an exact match for the group-policy name configured in the ASA, including matching case.

The behavior is that the user's session will inherit the default group-policy value of "NOACCESS" and be assigned the attribute of "vpn-simultaneous-logins 0" if no matching RADIUS Class attribute is returned. If a Class attribute which matches the name of a group-policy in the ASA is returned, the user session is assigned that group-policy instead, which then overrides the inherited default "vpn-simultaneous-logins" value and allows them to continue their login.

I've used this RADIUS configuration regularly for years, and a customer I worked with discovered the RSA requirement that RADIUS be used to pass the Class attribute for group assignment. Unfortunately I do not know the RSA setup to do the group mapping or return the attributes, but this thread and this thread may prove helpful there.

Best Answer

Related Solutions

Cisco – Migrating from PIX/VPN 3000 to ASA

Cisco ASA AnyConnect – Authenticate using RSA token, Assign policy based on AD Group

Related Topic