04-19-2010 06:59 AM
Hi,
We use two ASA's 5550 and the anyconnect client to build up a vpn connection. When users are connected to the ASA's some users of the same policy cannot access www.zonmw.nl (nothing will be displayed), others can. When we disconnect vpn the site is accessable.
What could be the problem here, we tried everything.
Could someone else try, with his anyconnect vpn connection to try and connect to this site?
thx,
Marc
04-20-2010 04:19 AM
1) Are you 100% sure that the user that connects via AnyConnect is assigned the same policy? Can you double check for both users (ie: the one that can connect to "www.zonmw.nl" and the user that can't) by issuing: show vpn-sessiondb svc filter name
2) Do you have split tunnel configured for the AnyConnect?
3) Just confirming that "www.zonmw.nl" is a webserver on the Internet, not hosted behind the ASA?
04-20-2010 04:24 AM
Hi,
1) Yep 100% the same, we use AD groups and we checked the radius server logs.
2) Split tunnel is not allowed in our policies
3) yes it's a webserver on the internet.
thx
Marc
04-20-2010 04:36 AM
User who can't access:
Session Type: SVC
Username : xxx.xxxxx Index : 13441
Assigned IP : 1XX.1XX.1XX.2XX Public IP : 1XX.XXX.XXX.XXX
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES256 Hashing : SHA1
Bytes Tx : 552209 Bytes Rx : 131830
Group Policy : ICTS-Netwerken Tunnel Group : DefaultWEBVPNGroup
Login Time : 13:31:19 CEDT Tue Apr 20 2010
Duration : 0h:01m:40s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
User who can:
Session Type: SVC
Username : zzzz.zzz Index : 22757
Assigned IP : 1XXXXXXXX Public IP : XXXXXXXXX
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES256 Hashing : SHA1
Bytes Tx : 2035733 Bytes Rx : 644081
Group Policy : ICTS-Netwerken Tunnel Group : DefaultWEBVPNGroup
Login Time : 13:32:45 CEDT Tue Apr 20 2010
Duration : 0h:03m:03s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
04-20-2010 04:41 AM
Thanks. Looks exactly the same.
I notice however that both users are using DTLS (UDP/443) for the AnyConnect connection, and when i try to browse to that website, it seems to be a little bit slow to respond. For the user who can't connect to that website, can you try to force it to connect via TLS (TCP/443) and try if the user can browse to that website?
04-20-2010 04:49 AM
Hi,
Ok tried that no luck, still not displaying the website.
thx,
Marc
___________________________________________________________________________________________________________________________
Session Type: SVC
Username : xxxxxxx Index : 22767
Assigned IP : xxxxxxxxxxxx Public IP : xxxxxxxxxxxxx
Protocol : Clientless SSL-Tunnel
License : SSL VPN
Encryption : RC4 AES256 Hashing : SHA1
Bytes Tx : 891388 Bytes Rx : 107493
Group Policy : ICTS-Netwerken Tunnel Group : DefaultWEBVPNGroup
Login Time : 13:46:28 CEDT Tue Apr 20 2010
Duration : 0h:02m:43s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN
04-20-2010 05:07 AM
When we wait we see this displayed in the browser:
Error 101 (net::ERR_CONNECTION_RESET): Unknown error.
04-20-2010 05:15 AM
If the user where it works, logs in with vpn on the pc of the user where it doesn't work, it also doesn't work for him.
04-20-2010 05:57 AM
Same ISP connection or different ISP connection?
04-20-2010 06:00 AM
Same ISP, but also tried other ISP's the same result. Looks like a problem on the workstations where it does not work.
But there are many, workstations and laptops of the company but also home computers. Very strange this .....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide