Url not working when connected with vpn with some users, others do??

Unanswered Question
Apr 19th, 2010

Hi,

We use two ASA's 5550 and the anyconnect client to build up a vpn connection. When users are connected to the ASA's some users of the same policy cannot access www.zonmw.nl (nothing will be displayed), others can. When we disconnect vpn the site is accessable.

What could be the problem here, we tried everything.

Could someone else try, with his anyconnect vpn connection to try and connect to this site?

thx,

Marc

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 04/20/2010 - 04:19

1) Are you 100% sure that the user that connects via AnyConnect is assigned the same policy? Can you double check for both users (ie: the one that can connect to "www.zonmw.nl" and the user that can't) by issuing: show vpn-sessiondb svc filter name

2) Do you have split tunnel configured for the AnyConnect?

3) Just confirming that "www.zonmw.nl" is a webserver on the Internet, not hosted behind the ASA?

MJonkers Tue, 04/20/2010 - 04:24

Hi,

1) Yep 100% the same, we use AD groups and we checked the radius server logs.

2) Split tunnel is not allowed in our policies

3) yes it's a webserver on the internet.

thx

Marc

MJonkers Tue, 04/20/2010 - 04:36

User who can't access:

Session Type: SVC

Username     : xxx.xxxxx           Index        : 13441

Assigned IP  : 1XX.1XX.1XX.2XX        Public IP    : 1XX.XXX.XXX.XXX

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

License      : SSL VPN

Encryption   : RC4 AES256             Hashing      : SHA1

Bytes Tx     : 552209                 Bytes Rx     : 131830

Group Policy : ICTS-Netwerken         Tunnel Group : DefaultWEBVPNGroup

Login Time   : 13:31:19 CEDT Tue Apr 20 2010

Duration     : 0h:01m:40s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

User who can:

Session Type: SVC

Username     : zzzz.zzz       Index        : 22757

Assigned IP  : 1XXXXXXXX         Public IP    : XXXXXXXXX

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

License      : SSL VPN

Encryption   : RC4 AES256             Hashing      : SHA1

Bytes Tx     : 2035733                Bytes Rx     : 644081

Group Policy : ICTS-Netwerken         Tunnel Group : DefaultWEBVPNGroup

Login Time   : 13:32:45 CEDT Tue Apr 20 2010

Duration     : 0h:03m:03s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

Jennifer Halim Tue, 04/20/2010 - 04:41

Thanks. Looks exactly the same.

I notice however that both users are using DTLS (UDP/443) for the AnyConnect connection, and when i try to browse to that website, it seems to be a little bit slow to respond. For the user who can't connect to that website, can you try to force it to connect via TLS (TCP/443) and try if the user can browse to that website?

MJonkers Tue, 04/20/2010 - 04:49

Hi,

Ok tried that no luck, still not displaying the website.

thx,

Marc

___________________________________________________________________________________________________________________________

Session Type: SVC

Username     : xxxxxxx          Index        : 22767

Assigned IP  : xxxxxxxxxxxx        Public IP    : xxxxxxxxxxxxx

Protocol     : Clientless SSL-Tunnel

License      : SSL VPN

Encryption   : RC4 AES256             Hashing      : SHA1

Bytes Tx     : 891388                 Bytes Rx     : 107493

Group Policy : ICTS-Netwerken         Tunnel Group : DefaultWEBVPNGroup

Login Time   : 13:46:28 CEDT Tue Apr 20 2010

Duration     : 0h:02m:43s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN      

MJonkers Tue, 04/20/2010 - 05:07

When we wait we see this displayed in the browser:

Error 101 (net::ERR_CONNECTION_RESET): Unknown error.

MJonkers Tue, 04/20/2010 - 05:15

If the user where it works, logs in with vpn on the pc of the user where it doesn't work, it also doesn't work for him.

MJonkers Tue, 04/20/2010 - 06:00

Same ISP, but also tried other ISP's the same result. Looks like a problem on the workstations where it does not work.

But there are many, workstations and laptops of the company but also home computers. Very strange this .....

Actions

This Discussion