Cisco VPN Client Connects but no traffic will Pass

Note: May also be asked as, Client VPN connects but cannot ping anything behind the Firewall.

KB ID 0000199

Problem

If I had a pound for every time I’ve seen this either in the wild, or asked in a forum, I would be minted! In nearly every case the problem is NAT related.

In most cases, If the person launching the VPN client is behind a device that is performing NAT, (Home Router, Access Point, Firewall, etc) then the device will BREAK the NO NAT, or “nat 0” on pre 8.3 firewalls. (that’s the command that says “DONT change the address of my remote VPN client as it passes up and down the VPN tunnel).

Update 08/09/16: Due to a bug, I found an exception to this problem being broken NAT (see below)

Solution

Enable nat-traversal, this is a global configuration setting and will not affect any other site to site, or client to gateway VPN’s you are currently running.

Option 1 Connect to the ASA Via Command Line.

Then go to enable mode > Configure Terminal mode > and issue a “crypto isakmp nat-traversal 20” command >Then save the change with a “write mem” command.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# crypto isakmp nat-traversal 20
Petes-ASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d

7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Petes-ASA#

[/box]

Option 2 Connect to the ASA Via ASDM Version used here is 6.2.(5)

If you can find this in the ASDM post version 7 – You are better than me!

Navigate to > Configuration > Remote Access VPN > Advanced > IKE Parameters > Tick “Enable IPSec over NAT-T” option > Set the “NAT Keepalive” to 20 seconds > Apply > File > Save running configuration to flash.

I’ve done that and its still not working?

On a Firewall Running 8.3 (or Newer)

1. On the firewall issue a “show run nat” command > Make sure there is a NAT statement that has static (the network behind the ASA) to static (the remote VPN network). I’ve highlighted it below.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.

Petes-ASA>enable
Password: ********
Petes-ASA# show run nat 
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-10.253.253.0 obj-10.253.253.0 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Media_PC
nat (inside,outside) static interface service tcp 123 123
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
PetesASA#

[/box]

2. Make sure the correct network(s) are in the correct groups.

[box]

PetesASA# show run object
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0 <- Subnet behind the ASA
object network obj-10.253.253.0 <- Remote VPN Subnet
subnet 10.253.253.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Media_PC
host 10.254.254.5
PetesASA#

[/box]

3. Also make sure you don’t have any legacy nat rules breaking things.

On a Firewall Older than Version 8.3

On the firewall issue a “show run nat 0” command > take note of the access-list name.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# show run nat 0
nat (inside) 0 access-list NO-NAT-TRAFFIC
nat (inside) 1 0.0.0.0 0.0.0.0

[/box]

In this example mines called NO-NAT-TRAFFIC (cause I like to keep things simple) yours can be called anything (inside_nat0_outbound is the norm if you used the ASDM to set up the VPN).

Now make sure that you have the correct addresses in that access-list, issue a show run access-list {name} command.

[box]

Petes-ASA#show run access-list NO-NAT-TRAFFIC
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.253.253.0 255.255.255.0
access-list NO-NAT-TRAFFIC extended permit ip 10.254.254.0 255.255.255.0 10.252.252.0 255.255.255.0
Petes-ASA#

[/box]

Above we have two subnets that are going to be exempt from NAT, they are 10.253.253.0/24 and 10.252.252.0/24, if the range of IP addresses your remote clients are using is NOT on this list you need to add them.

If you don’t know what addresses they are supposed to be using, then issue a “show run ip local pool” command.

[box]

Petes-ASA#show run ip local pool
ip local pool IPSEC-VPN-DHCP-POOL 10.253.253.1-10.253.253.5
ip local pool SSL-VPN-DHCP-POOL 10.252.252.1-10.252.252.5
Petes-ASA#

[/box]

Again I’ve got a sensible naming policy – so we can see what my pools are for, to see what pools are being used for what, issue a “show run tunnel-group” command.

[box]

Petes-ASA# show run tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's my IPSEC VPN's
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL <<< And here's my matching DHCP scope (IPSEC)
authentication-server-group PNL-KERBEROS
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's my SSL VPN's
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL <<< And here's my matching DHCP scope (SSL)
authentication-server-group PNL-KERBEROS
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes
group-alias PNL enable
Petes-ASA#

[/box]

If any of yours are missing then change accordingly.

BUG (08/09/16)

Had this problem again recently, and after staying on the phone to TAC until 03:00, it turned out to be a bug in the SFR (FirePOWER service module) code. That was causing the firewall to silently drop the AnyConnect traffic. So debugs showed nothing, and packet captures were empty. Fixed by removing ‘sfr fail-open’ from the firewall and upgrading the code by re-imaging the SFR module.

Related Articles, References, Credits, or External Links

NA

Cisco Remote (IPSEC) VPN Clients Timeout / Disconnect

KB ID 0000309 

Problem

By default, your remote VPN clients will timeout their connections after 300 seconds of inactivity, should you wish to increase that you can, on a user by user basis, however sometimes that does not work. To fix the problem you need to disable ISAKMP monitoring at the “Head End”.

Solution

Enable via Command Line

(see below for ASDM instructions)

1. Connect to the the firewall (see here for instructions).

2. Login and go to enable mode.

[box]

User Access Verification

Password: Type help or ‘?’ for a list of available commands. PetesASA> en Password: ********

[/box]

3. We need to change the remote access IPSEC VPN tunnel group, to find out what its called issue a “show running-config tunnel-group” command.

The tunnel group we want will have an “ipsec-attributes” entry AND a “remote-access” entry, so in the example below the tunnel group we want is called “IPSEC-VPN-GROUP” (Yours may not be as well named!).

[box]

PetesASA# show running-config tunnel-group
tunnel-group IPSEC-VPN-GROUP type remote-access <<< Here's a remote access group
tunnel-group IPSEC-VPN-GROUP general-attributes
address-pool IPSEC-VPN-DHCP-POOL
authentication-server-group PNL-KERBEROS LOCAL
default-group-policy IPSEC-VPN-POLICY
tunnel-group IPSEC-VPN-GROUP ipsec-attributes <<< Its an IPSEC tunnel :)
pre-shared-key *****
tunnel-group SSL-VPN-POLICY type remote-access <<< Here's a remote access group
tunnel-group SSL-VPN-POLICY general-attributes
address-pool SSL-VPN-DHCP-POOL
default-group-policy SSL-VPN-GROUP-POLICY
tunnel-group SSL-VPN-POLICY webvpn-attributes <<< this ones an SSL group :(
group-alias PNL enable
PetesASA#

[/box]

4. Enter configuration mode (conf t) > Then to add the new attribute issue a “tunnel-group {tunnel group name} ipsec-attributes” > then to disable the keepalives, issue the following command “isakmp keepalive threshold infinite“.

Finally save your hard work with a “write mem” command.

[box]

PetesASA# conf t PetesASA(config)# tunnel-group IPSEC-VPN-GROUP ipsec-attributes PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold infinite PetesASA(config-tunnel-ipsec)# PetesASA(config-tunnel-ipsec)# write mem Building configuration… Cryptochecksum: 5417d5a1 bee8b082 16c6f19d b3839f13

9379 bytes copied in 1.410 secs (9379 bytes/sec) [OK] PetesASA(config-tunnel-ipsec)#

 

[/box]

Do the same from ASDM.

1. Connect to the ASDM

2. Click Configuration > Remote Access VPN > IPSEC Connection Profiles > {Your IPSEC Policy} > Edit.

2. Select Advanced > IPSEC > and tick “Headend will never initiate keepalive monitoring” > OK > Apply.

3. Finally click File > “Save Running Configuration to Flash”.

Related Articles, References, Credits, or External Links

NA