4 Replies Latest reply: Oct 23, 2018 10:08 AM by Chekol RSS

    ASA Anyconnect Issue

    Mohd Ali

      Hi Experts,


      I am from R & S background, Working on ASA, configured Anyconnect with SpiltACL.


      customer is using Radius sever for authentication and have some remote sites those are connected with ASA over VPLS circuit.


      OSPF is configured between all sites using VPLS circuit and all NAT is configured on ASA for remote sites LAN subnet.


      Issue1: Customer is unable to connect using his radius credentials, though its working for local authentication.


      Issue2: After connecting through anyconnect customer is able to reach out internet bu unable to reach other remote sites.


      How can i use capture or  console debugging to see the traffic related to above issues.. ASA is in production so need more specific troubleshooting way.


      let me know if more info is required.

        • 1. Re: ASA Anyconnect Issue

          Mohd Ali,

          The first issue sounds like there is an issue with Radius authentication. Things to check there are: can ASA reach the Radius server? Is ASA configured as a Radius client? Is the shared key correct on ASA and on Radius server?


          With regards to another issue, if you are using split tunneling, there might be an access list in place, restricting access to anything other than internet. It is hard to say more without seeing any of the config.

          • 2. Re: ASA Anyconnect Issue
            Mohd Ali

            Thanks for response Sergey.


            Authentication issue has been resolved, I used below commands to see the interesting traffic and isolate the same.


            PS : I just placed 'password-management' command under group-policy and issue got resolved.


            test aaa-server authentication <aaa-server group name> username <username>

            debug radius all


            Second issue is still persist,where user is unable to access their remote sites--- i need your help here.


            Could you confirm what would be the ingress and egress port for the traffic on ASA so that i can capture packets and see the live traffic??


            Interface details

            Current IP Addresses:

            Interface                Name                   IP address      Subnet mask     Method

            GigabitEthernet1/1       primary_wan            unassigned      unassigned      DHCP 

            GigabitEthernet1/1.10    primary_management     100.127.x.y CONFIG

            GigabitEthernet1/1.20    primary_internet       174.78.x.y CONFIG

            GigabitEthernet1/1.30    primary_vpls    CONFIG

            GigabitEthernet1/3.13    guest           CONFIG

            GigabitEthernet1/3.35    inside          CONFIG

            GigabitEthernet1/8       firepower     CONFIG


            Thanks !!

            • 3. Re: ASA Anyconnect Issue
              Aref - CCNPx2 (R&S - Security) / Network+ / Security+

              Fixing the first issue by using password management would mean that MSCHAPv2 is required for the communication between the ASA and the authentication RADIUS server.


              Regarding the second issue, if the ASA will be used as a transitive device, then you should verify the encryption domains and the NAT rules on both the transitive ASA and the remote ASA or routers. On the transitive ASA you should have a U-Turn NAT rule for the traffic coming from the AnyConnect clients destined to the remote sites on the same interface. Another thing to verify if you have applied the command same-security-traffic permit intra-interface which is required in this case.

              • 4. Re: ASA Anyconnect Issue

                As Aref stated you should permit sam-security-traffic if the same interface is used to terminate AnyConnect and route to the remote site. If the remote site is accessible through a different interface make use you have NAT and a route to it. Use packet-tracer to see the egress and ingress interface.

                packet-tracer input PRIMARY_INTERNET tcp AC_CLIENT_IP 1234 REMOTE_IP 4567.