The scenario I have is an ASA in context mode and I am looking to terminate VPN clients on a seperate ASA that has an interface on the same private subnet. I have added a route to the ASA context for the VPN pool that belongs to the VPN-ASA. i can ping the vpn clients from the ASA context but I cannot establish any connection from the VPN client I get the following message
04:21:21 106001 192.168.41.215 10.50.1.1 Inbound TCP connection denied from 192.168.41.215/23 to 10.50.1.1/52412 flags SYN ACK on interface inside
yes I am running one ASA in multiple context mode. The other ASA is running parallel in single context mode. The vpn terminates fine and I can ping the ipsec clients as they connect from the ASA that's running in multiple context mode. However if a vpn user tried to access internal resources its failing. This is the error I am getting which is related to translation problems.
192.168.41.20 10.50.1.1 Inbound TCP connection denied from 192.168.41.20/23 to 10.50.1.1/2103 flags SYN ACK on interface inside
It appears packet from server (SYN ACK from port 23 is certainly a server packet) to client is getting dropped. Since you said two ASAs are sitting in parallel can you clarify which ASA dropping the packet ? If it's multi context one then it appears routing needs to be fixed such that packets destined to VPN client IPs go to VPN-ASA. I would guess you have a L3 box on inside segment that routes to ASAs depending on destination. It may be that L3 box is routing VPN client IPs to multi-ASA instead of VPN-ASA.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :