×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote access VPN is working, but packet-tracer is showing drop in webvpn-svc

Endorsed Question
Sep 19th, 2013
User Badges:

Hi expert,


I recently noticed a strange thing that my anyconnect vpn is working but packet-tracer is always showing WEBVPN-SVC result is DROP.

If I change to another unused ip address in the VPN pool, then packet-tracer showing allowed, but in fact, the PC successfully connected is always able to reach the webserver.


//client successfully dial in VPN, obtain 3.3.3.1, packet-tracer using this IP shows:


ASA5510# packet-tracer input inside tcp 3.3.3.1 1025 1.1.1.1 80


Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list


Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list


Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz


Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule



//If I use another ip address in the VPN pool, (not assigned yet), then it showing allow.




PSS-ASA5510# packet-tracer input inside tcp 3.3.3.2 1025 1.1.1.1 80


Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list


Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list


Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz


Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:


Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:


Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 30842, packet dispatched to next module


Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow


From VPN client PC, 1.1.1.1 port 80 is reachable, but I'm confused by the fact that packet-tracer is showing differently.

VIP Endorsed by Marvin Rhoads
Peter Long about 4 months 2 weeks ago

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer


Pete

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Marvin Rhoads Wed, 04/05/2017 - 08:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Nice one Pete!

Old thread but still a worthwhile contribution.

Actions

This Discussion