I have an interesting problem with a Cisco ASA 5540 and returning traffic to a vpn client being dropped.
The solution looks like this
vpn-client --> [ASA5540] ----> Cat6k -----> (TLS MAN ) ----> [Cat4k] ----> <subnet on Cat 4k 10.161.0.0 /22>
The Cat4k destination interface is as follows
ip address 10.161.0.1 255.255.252.0
no ip redirects
The ASA can ping the ingress and egress interfaces of the Cat6k
The ASA can across the Transparent LAN service (MAN) onto a IP address on the CAT4k
The ASA can ping any address on the Cat4k within the 10.161.0.0 /22 addressed vlan.
But when a VPN client establishes a remote access IPSEC tunnel onto the ASA,
The vpn client can ping the ingress and egress interfaces of the Cat6k
The vpn client can ping across the Transparent LAN service (MAN) onto an IP address on the Cat4k
BUT the vpn client can only ping hosts within the 10.161.0.0/22 address space from 10.161.1.1 up to 10.161.3.254
All addresses from 10.161.0.1 up to 10.161.0.255 are not reachable by either TCP or ICMP.
I performed a real-time captures on the ingress of the inside interface of the ASA to see if the traffic was actually getting back to the ASA, to rule out a routing or switching problem.
The following is a successful test from vpn client 10.162.104.60 to 10.161.2.2 /22
<hostname># capture test interface inside real-time match icmp host 10.161.2.1$
1: 12:18:21.825183 10.162.104.60 > 10.161.2.1: icmp: echo request
2: 12:18:21.826296 10.161.2.1 > 10.162.104.60: icmp: echo reply
3: 12:18:22.825900 10.162.104.60 > 10.161.2.1: icmp: echo request
4: 12:18:22.831545 10.161.2.1 > 10.162.104.60: icmp: echo reply
The client receives a reply
<host>$ ping 10.161.2.1
PING 10.161.2.1 (10.161.2.1): 56 data bytes
64 bytes from 10.161.2.1: icmp_seq=0 ttl=126 time=6.270 ms
64 bytes from 10.161.2.1: icmp_seq=1 ttl=126 time=11.688 ms
The following is an unsuccessful test from vpn client 10.162.104.60 to 10.161.0.1 in the same subnet
It shows the echo reply traffic actually coming back to the ASA
Although the vpn client does not receive the packet.
<host>$ ping 10.161.0.1
PING 10.161.0.1 (10.161.0.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
(This was tested on both Windows Cisco vpn client and MAC vpn client version 4.9.01.0180)
Yet the ASA can ping both ip addresses from its inside interface