ASA 8.2(5) to 8.2(5.26) upgrade breaks VPN hairpinning?

Answered Question
May 15th, 2012

I've got 3 sites.  Site A is connected to both Site B and Site C via IPSEC tunnels (all devices are ASA5540).  Site A also acts as a VPN concentrator for remote access users.  I upgraded the ASA code at Site A from 8.2(5) to 8.2(5.26) per the Cisco advisory to deal with the SSL VPN Active-X RDP vulnerability.  This update solved the issue with Active-X RDP, but, now users who connect with AnyConnect to Site A can not establish a connection to hosts in Site B or Site C.  They can Ping those hosts, but cannot connect to them using TCP (i.e. telent, rdp, ftp, etc...). 

So what changed with this minor code upgrade and how to I restore the ability of these remote users utilize resources at the other sites?  Has anybody else experienced this?

Thanks,

I have this problem too.
0 votes
Correct Answer by Mohammad Alhyari about 3 years 2 months ago

Hey.

I think you are hitting a bug

anyconnect hairpinning traffic fails . I don't remember the bug id but i will provide it tomorrow.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Mohammad Alhyari Tue, 05/15/2012 - 15:15

Hey.

I think you are hitting a bug

anyconnect hairpinning traffic fails . I don't remember the bug id but i will provide it tomorrow.

Vishnu Sharma Wed, 05/16/2012 - 15:40

Yes CSCty32412 is the correct bug. To fix this bug, upgrade the ASA to 8.2(5.29) which is not available on cisco website. To get this code, please open a case with Cisco TAC VPN team and ask them to publish this software for you.

Thanks,

Vishnu Sharma

Actions

This Discussion

Related Content