Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1937
Views
0
Helpful
3
Replies

ASA 8.2(5) to 8.2(5.26) upgrade breaks VPN hairpinning?

Go to solution
JERRY VANCORBACH
Level 1
Level 1

‎05-15-2012 01:07 PM

I've got 3 sites.  Site A is connected to both Site B and Site C via IPSEC tunnels (all devices are ASA5540).  Site A also acts as a VPN concentrator for remote access users.  I upgraded the ASA code at Site A from 8.2(5) to 8.2(5.26) per the Cisco advisory to deal with the SSL VPN Active-X RDP vulnerability.  This update solved the issue with Active-X RDP, but, now users who connect with AnyConnect to Site A can not establish a connection to hosts in Site B or Site C.  They can Ping those hosts, but cannot connect to them using TCP (i.e. telent, rdp, ftp, etc...). 

So what changed with this minor code upgrade and how to I restore the ability of these remote users utilize resources at the other sites?  Has anybody else experienced this?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎05-15-2012 03:15 PM

Hey.

I think you are hitting a bug

anyconnect hairpinning traffic fails . I don't remember the bug id but i will provide it tomorrow.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎05-15-2012 03:15 PM

Hey.

I think you are hitting a bug

anyconnect hairpinning traffic fails . I don't remember the bug id but i will provide it tomorrow.

0 Helpful

Go to solution
JERRY VANCORBACH
Level 1
Level 1

‎05-16-2012 09:03 AM


TAC has confirmed that this is a bug (CSCty32412).

Thanks,

-jerry

0 Helpful

Go to solution
Vishnu Sharma
Level 1
Level 1
In response to JERRY VANCORBACH

‎05-16-2012 03:40 PM

Yes CSCty32412 is the correct bug. To fix this bug, upgrade the ASA to 8.2(5.29) which is not available on cisco website. To get this code, please open a case with Cisco TAC VPN team and ask them to publish this software for you.

Thanks,

Vishnu Sharma

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents