cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28282
Views
45
Helpful
6
Replies

Remote access VPN is working, but packet-tracer is showing drop in webvpn-svc

XIE YAO
Level 1
Level 1

Hi expert,

I recently noticed a strange thing that my anyconnect vpn is working but packet-tracer is always showing WEBVPN-SVC result is DROP.

If I change to another unused ip address in the VPN pool, then packet-tracer showing allowed, but in fact, the PC successfully connected is always able to reach the webserver.

//client successfully dial in VPN, obtain 3.3.3.1, packet-tracer using this IP shows:

ASA5510# packet-tracer input inside tcp 3.3.3.1 1025 1.1.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

//If I use another ip address in the VPN pool, (not assigned yet), then it showing allow.

PSS-ASA5510# packet-tracer input inside tcp 3.3.3.2 1025 1.1.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 30842, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

From VPN client PC, 1.1.1.1 port 80 is reachable, but I'm confused by the fact that packet-tracer is showing differently.

1 Accepted Solution

Accepted Solutions

Peter Long
Level 1
Level 1

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer

Pete

View solution in original post

6 Replies 6

XIE YAO
Level 1
Level 1

anyone?

Peter Long
Level 1
Level 1

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer

Pete

Nice one Pete!

Old thread but still a worthwhile contribution.

That is very cool.  However, if you have uRPF enabled on the outside interface, you get this error because the reverse-route isn't populated.

Result:
input-interface: Charter
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

 

This was on an FTD device managed from the FMC.  I removed uRPF, and packet-tracer worked as desired.  It is interesting that I got the same WEBVPN-SVC DROP from using an existing AnyConnect IP address on FTD.

 

FYI uRPF is located under Devices > Device Management > [device] > Interfaces > [interface] > Advanced > Security Configuration > Enable Anti Spoofing.

 

Spoiler
 

Fantastic!!!!!!!!!!!!!!

I got a similar issue where the traffic is not getting through and has the following error:

Phase: 9
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Elapsed time: 428 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x15044ce39c40, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=10464, user_data=0xf06a4000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.200.31.78, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GLP-Outside(vrfid:0), output_ifc=any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: