Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyconnect client traffic does not reach remote sites connected via site-to-site vpn

Hi everyone,  I have a 5550 ASA running version 8.2(1) which is being used to tunnel between sites and also serves as remote access server.   Anyconnect tcp/udp client traffic that is tunneled to other sites via site-to-site vpn fails.

I get these in the logs (either RST or SYN/ACK)

6    Nov 24 2010    12:06:48    106015    80    15996    Deny TCP (no connection) from to flags RST ACK  on interface outside

ICMP traffic is ok as I can ping units in remote sites  being the remote site and being the vpn client subnet is another router connected to the same segment

Internet is being routed to another ASA on the same segment

I have run out of ideas can anyone shed some light ?


ASA Version 8.2(1)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address

interface GigabitEthernet1/0

nameif inside
security-level 100
ip address
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface


object-group network CANADA
object-group network UK


access-list nonat extended permit ip object-group CANADA object-group UK
access-list 113 extended permit ip object-group CANADA object-group UK


mtu outside 1500
mtu management 1500
mtu inside 1500
ip local pool AnyConnect_Pool1 mask
nat (inside) 0 access-list nonat
route outside 1
route inside 1
route inside tunneled
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000


crypto map vpn 113 match address 113
crypto map vpn 113 set peer
crypto map vpn 113 set transform-set ESP-AES-256-SHA
crypto map vpn 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy thqmtl_AnyConnect internal
group-policy thqmtl_AnyConnect attributes
wins-server value
dns-server value
vpn-simultaneous-logins 3
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock none
split-tunnel-policy tunnelall
default-domain value
vlan none
address-pools value AnyConnect_Pool1
  svc keep-installer installed
  svc rekey time 60
  svc rekey method ssl
  svc ask none default svc
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group AnyConnect_SSL type remote-access
tunnel-group AnyConnect_SSL general-attributes
address-pool AnyConnect_Pool1
authentication-server-group LDAP
authentication-server-group (inside) LDAP
default-group-policy thqmtl_AnyConnect
tunnel-group AnyConnect_SSL webvpn-attributes
group-alias AnyConnect_SSL enable
: end

  • VPN
Cisco Employee

Re: Anyconnect client traffic does not reach remote sites connec

To start with, the AnyConnect Pool should not be in the same subnet as the inside network, as essentially the AnyConnect pool should really

exist on the outside network.

Secondly, what is the reason of configuring "route inside tunneled"?

Once you have changed the AnyConnect pool to a unique subnet range, then you would need to add AnyConnect pool subnet to the site-to-site VPN crypto ACL on both side as follows:

On this ASA: access-list 113 permit ip object-group UK

On the remote ASA: the corresponding ACL and mirror image to the above: access-list permit ip object-group UK

Then you would need to clear the tunnels, and reconnect to the AnyConnect to test the connectivity to the remote site.

Hope that helps.

This widget could not be displayed.