Anyconnect loses connectivity to internal resources
Has anyone ever had an Anyconnect VPN client just lose connectivity in the middle of a session? The user connects via VPN fine all internal resources are available and they can get to things. Within a certain time frame the user all of the sudden cannot get to internal resources, but tunnel is still established and connected. They cannot ping internal resources nor can I ping the client IP of the user that is connected. I see the connection still there within the CLI. The user can log off and log back into the vpn and work again, but the issue may creep up again. Any one else seen an issue like this?
I ran into a similar issue before and saw that user was shunned from the ASA and thus VPN session was up but traffic was not passing. Try "show shun" to see if the client's IP is listed there or not. If that does not help, run test traffic (continuous pings) from VPN client and run captures on inside interface (to see if the packets are reaching there). This will tell you if the packets are even reaching ASA .
Our clients are Windows 7 and this doesn't happen to everybody if at all many. On occasion I have had the Anyconnect client reinstalled on their workstations and it seemed to work. Not sure if the Anyconnect service/drive gets messed up. I haven't had the chance to packet capture the inside interface while the client was connected. I figure if the problem was the ASA that more folks connecting would have the issue.
I am having the same issue with some windows 8.1 machines. Everyone else works fine. Concentrator and client both show connected but no traffic passes. disconnect and reconnect fixes the issue temporarily.
Have you gotten a resolution?
Show shun statistics shows 0 shuns...
vpnc60a# show shun stat outside=OFF, cnt=0 inside=OFF, cnt=0 management=OFF, cnt=0
I myself have not got a resolution yet except for having the client reinstalled and that isn't 100% guaranteed. I have also seen where some setting or something with the user's home wifi router causing issues with VPN.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :