I've successfully setup remote VPN connections to my ASA using vpnc as the client and everything behaves as expected. I'm trying to test the official Cisco client and I'm unable to make the same SSH connections across the VPN as I was using vpnc.
The ASA shows connections the IKE and IPSec connections forming, and shows connections being built for the SSH traffic across the VPN.
tcpdump shows the host listening on SSH behind the ASA receiving the traffic and sending ACKs in reply. They don't appear to be arriving back
at the remote client though, and SSH connections timeout without connecting.
Any idea what might be stopping the return traffic? I thought it might be some policy the ASA is pushing out to the Cisco client but not to vpnc but I can't spot anything obvious.
Re: Traffic not returning to remote VPN connections
Is the internal SSH host you are connecting to sending ACKS (as you've stated), or SYN/ACKs?
It might be nice to know if the TCP three way handshake is being completed, and subsequent packets are the issue, or if it's the initial TCP setup that is the issue.
Perhaps there would be some benefit in confirming whether these packets are making it through the IPSec tunnel, though the ASA un-encapsulated, or not through the ASA at all.
You could use Wireshark to look for un-encapsulated packets exiting the ASA.
You could use Wireshark to capture the "pre-encapsulated" traffic being sent to the far side, and the "post-decapsulation" traffic returning from the far side, by capturing on the Cisco VPN Client virtual interface (Windows installation).
Perhaps examine IPSec SA details on the ASA and look for errors.
Perhaps logging on the internal interface ACL (log any packets denied) to identify whether the returning packets are being dropped.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.