3 Replies Latest reply: Oct 21, 2018 1:44 PM by Aref - CCNPx2 (R&S - Security) / Network+ / Security+

ASA Anyconnect Issue

Mohd Ali Oct 9, 2018 6:37 AM

Hi Experts,

I am from R & S background, Working on ASA, configured Anyconnect with SpiltACL.

customer is using Radius sever for authentication and have some remote sites those are connected with ASA over VPLS circuit.

OSPF is configured between all sites using VPLS circuit and all NAT is configured on ASA for remote sites LAN subnet.

Issue1: Customer is unable to connect using his radius credentials, though its working for local authentication.

Issue2: After connecting through anyconnect customer is able to reach out internet bu unable to reach other remote sites.

How can i use capture or console debugging to see the traffic related to above issues.. ASA is in production so need more specific troubleshooting way.

let me know if more info is required.

1. Re: ASA Anyconnect Issue

Sergey Oct 11, 2018 5:16 AM (in response to Mohd Ali)

Mohd Ali,

The first issue sounds like there is an issue with Radius authentication. Things to check there are: can ASA reach the Radius server? Is ASA configured as a Radius client? Is the shared key correct on ASA and on Radius server?

With regards to another issue, if you are using split tunneling, there might be an access list in place, restricting access to anything other than internet. It is hard to say more without seeing any of the config.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
2. Re: ASA Anyconnect Issue

Mohd Ali Oct 11, 2018 7:20 AM (in response to Sergey)

Thanks for response Sergey.

Authentication issue has been resolved, I used below commands to see the interesting traffic and isolate the same.

PS : I just placed 'password-management' command under group-policy and issue got resolved.

test aaa-server authentication <aaa-server group name> username <username>
debug radius all

Second issue is still persist,where user is unable to access their remote sites--- i need your help here.

Could you confirm what would be the ingress and egress port for the traffic on ASA so that i can capture packets and see the live traffic??

Interface details
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
GigabitEthernet1/1       primary_wan            unassigned      unassigned      DHCP
GigabitEthernet1/1.10    primary_management     100.127.x.y   255.255.255.254 CONFIG
GigabitEthernet1/1.20    primary_internet       174.78.x.y    255.255.255.240 CONFIG
GigabitEthernet1/1.30    primary_vpls           192.168.1.1     255.255.255.0   CONFIG
GigabitEthernet1/3.13    guest                  192.168.13.1    255.255.255.0   CONFIG
GigabitEthernet1/3.35    inside                 192.168.35.254 255.255.255.0   CONFIG
GigabitEthernet1/8       firepower              192.168.222.2   255.255.255.252 CONFIG

Thanks !!
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register
3. Re: ASA Anyconnect Issue

Aref - CCNPx2 (R&S - Security) / Network+ / Security+ Oct 21, 2018 1:44 PM (in response to Mohd Ali)

Fixing the first issue by using password management would mean that MSCHAPv2 is required for the communication between the ASA and the authentication RADIUS server.

Regarding the second issue, if the ASA will be used as a transitive device, then you should verify the encryption domains and the NAT rules on both the transitive ASA and the remote ASA or routers. On the transitive ASA you should have a U-Turn NAT rule for the traffic coming from the AnyConnect clients destined to the remote sites on the same interface. Another thing to verify if you have applied the command same-security-traffic permit intra-interface which is required in this case.
Like Show 0 Likes (0)

Actions

Join this discussion now: Log in / Register

Go to original post