Url not working when connected with vpn with some users, others do??

Unanswered Question
Apr 19th, 2010
User Badges:

Hi,


We use two ASA's 5550 and the anyconnect client to build up a vpn connection. When users are connected to the ASA's some users of the same policy cannot access www.zonmw.nl (nothing will be displayed), others can. When we disconnect vpn the site is accessable.


What could be the problem here, we tried everything.


Could someone else try, with his anyconnect vpn connection to try and connect to this site?


thx,


Marc


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 04/20/2010 - 04:19
User Badges:
  • Cisco Employee,

1) Are you 100% sure that the user that connects via AnyConnect is assigned the same policy? Can you double check for both users (ie: the one that can connect to "www.zonmw.nl" and the user that can't) by issuing: show vpn-sessiondb svc filter name


2) Do you have split tunnel configured for the AnyConnect?


3) Just confirming that "www.zonmw.nl" is a webserver on the Internet, not hosted behind the ASA?

MJonkers Tue, 04/20/2010 - 04:24
User Badges:

Hi,


1) Yep 100% the same, we use AD groups and we checked the radius server logs.

2) Split tunnel is not allowed in our policies

3) yes it's a webserver on the internet.


thx


Marc

MJonkers Tue, 04/20/2010 - 04:36
User Badges:

User who can't access:


Session Type: SVC


Username     : xxx.xxxxx           Index        : 13441

Assigned IP  : 1XX.1XX.1XX.2XX        Public IP    : 1XX.XXX.XXX.XXX

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

License      : SSL VPN

Encryption   : RC4 AES256             Hashing      : SHA1

Bytes Tx     : 552209                 Bytes Rx     : 131830

Group Policy : ICTS-Netwerken         Tunnel Group : DefaultWEBVPNGroup

Login Time   : 13:31:19 CEDT Tue Apr 20 2010

Duration     : 0h:01m:40s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none


User who can:


Session Type: SVC


Username     : zzzz.zzz       Index        : 22757

Assigned IP  : 1XXXXXXXX         Public IP    : XXXXXXXXX

Protocol     : Clientless SSL-Tunnel DTLS-Tunnel

License      : SSL VPN

Encryption   : RC4 AES256             Hashing      : SHA1

Bytes Tx     : 2035733                Bytes Rx     : 644081

Group Policy : ICTS-Netwerken         Tunnel Group : DefaultWEBVPNGroup

Login Time   : 13:32:45 CEDT Tue Apr 20 2010

Duration     : 0h:03m:03s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

Jennifer Halim Tue, 04/20/2010 - 04:41
User Badges:
  • Cisco Employee,

Thanks. Looks exactly the same.


I notice however that both users are using DTLS (UDP/443) for the AnyConnect connection, and when i try to browse to that website, it seems to be a little bit slow to respond. For the user who can't connect to that website, can you try to force it to connect via TLS (TCP/443) and try if the user can browse to that website?

MJonkers Tue, 04/20/2010 - 04:49
User Badges:

Hi,


Ok tried that no luck, still not displaying the website.


thx,


Marc


___________________________________________________________________________________________________________________________


Session Type: SVC


Username     : xxxxxxx          Index        : 22767

Assigned IP  : xxxxxxxxxxxx        Public IP    : xxxxxxxxxxxxx

Protocol     : Clientless SSL-Tunnel

License      : SSL VPN

Encryption   : RC4 AES256             Hashing      : SHA1

Bytes Tx     : 891388                 Bytes Rx     : 107493

Group Policy : ICTS-Netwerken         Tunnel Group : DefaultWEBVPNGroup

Login Time   : 13:46:28 CEDT Tue Apr 20 2010

Duration     : 0h:02m:43s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN      

MJonkers Tue, 04/20/2010 - 05:07
User Badges:

When we wait we see this displayed in the browser:


Error 101 (net::ERR_CONNECTION_RESET): Unknown error.

MJonkers Tue, 04/20/2010 - 05:15
User Badges:

If the user where it works, logs in with vpn on the pc of the user where it doesn't work, it also doesn't work for him.

MJonkers Tue, 04/20/2010 - 06:00
User Badges:

Same ISP, but also tried other ISP's the same result. Looks like a problem on the workstations where it does not work.

But there are many, workstations and laptops of the company but also home computers. Very strange this .....

Actions

This Discussion