Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

FULL-TUNNEL SSL VPN issue with Type: WEBVPN-SVC Result: DROP

Hello, All, I'm trying to do this VPN, before the Version 8.3, I was doing, but in this version, I can't to do the VPNs Works.

I have the action drop by Rule, but I can't find, What is the Rule...?

 

 

 

ms-5510#
ms-5510#
ms-5510# packet-tracer input Internet tcp 172.18.2.5 1025 172.18.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.18.2.0      255.255.255.240 ADMIN1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Internet_access_in in interface Internet
access-list Internet_access_in extended permit ip object POOL-VPN-ADMIN any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae39a668, priority=13, domain=permit, deny=false
        hits=1, user_data=0xaaffef40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.18.2.5, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any

Phase: 3
Type: NAT     
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2b5ef8, priority=0, domain=nat-per-session, deny=false
        hits=57160, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad949ba8, priority=0, domain=inspect-ip-options, deny=true
        hits=23784, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any
              
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad86f188, priority=89, domain=punt, deny=true
        hits=7, user_data=0xad196658, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.18.2.5, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any

Phase: 6
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae7cf468, priority=71, domain=svc-ib-tunnel-flow, deny=false
        hits=7, user_data=0x22000, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.18.2.5, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any

Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: ADMIN1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ms-5510#

 

 

 

 

ms-5510# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(5)
Device Manager Version 7.1(6)

Compiled on Thu 27-Mar-14 09:36 by builders
System image file is "disk0:/asa915-k8.bin"
Config file at boot was "startup-config"

ms-5510 up 12 days 11 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz,
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 64MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 0: Ext: Ethernet0/0         : address is 001d.459f.c23a, irq 9
 1: Ext: Ethernet0/1         : address is 001d.459f.c23b, irq 9
 2: Ext: Ethernet0/2         : address is 001d.459f.c23c, irq 9
 3: Ext: Ethernet0/3         : address is 001d.459f.c23d, irq 9
 4: Ext: Management0/0       : address is 001d.459f.c239, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 50             perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 50             perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1146L00U
Running Permanent Activation Key: 0x32055b60 0xcc2a5157 0x20e28d38 0x989430c4 0x841ca9bb
Configuration register is 0x1
Configuration last modified by otorres at 00:55:51.015 UTC Tue Jul 8 2014
ms-5510#

3 REPLIES
Cisco Employee

Hi ,I see that the vpn pool

Hi ,

I see that the vpn pool (172.18.2.5-172.18.2.6) is overlapping with the subnet (172.18.2.0) that you need to access through the vpn tunnel. Please try using different pool  or make sure proxy arp is enabled.
I am assuming there is no natting done on the device .Kindly share the output of "show run all sysopt" and "show run all | in nat-control"

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

New Member

My first choice two days ago,

My first choice two days ago, was with different subnet, but it does not work, and I change to the same subnet, I think maybe it help me.

 

I attach the test, with different subnet, I have the same behavior.

 

 

ms-5510# show vpn-sessiondb full anyconnect                                    

Session Type: AnyConnect ||

Session ID: 38 | EasyVPN: 0 | Username: ssluser | Group: FullSSL-GroupPolicy | Tunnel Group: FullSSL-ConnectionProfile | IP Addr: 172.18.2.17 | Public IP: 189.154.226.140 | Protocol: AnyConnect-Parent SSL-Tunnel DTLS-Tunnel | License: AnyConnect Premium | Session Subtype: Client only | Encryption: AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128 | Login Time: 03:40:56 UTC Tue Jul 8 2014 | Duration: 0h:00m:16s | Inactivity:  0h:00m:00s | Bytes Tx: 11030 | Bytes Rx: 5878 | NAC Result: Unknown | Posture Token:  | VLAN Mapping: N/A | VLAN:  0 ||

ms-5510#
ms-5510# packet-tracer input Internet tcp 172.18.2.17 1025 172.18.2.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.18.2.0      255.255.255.240 ADMIN1

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Internet_access_in in interface Internet
access-list Internet_access_in extended permit ip object POOL-VPN-ADMIN any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad760ed8, priority=13, domain=permit, deny=false
        hits=1, user_data=0xaafff240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=172.18.2.17, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any

Phase: 3
Type: NAT     
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad2b5ef8, priority=0, domain=nat-per-session, deny=false
        hits=57898, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xad949ba8, priority=0, domain=inspect-ip-options, deny=true
        hits=24886, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any
              
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae726e98, priority=89, domain=punt, deny=true
        hits=102, user_data=0xad196658, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=172.18.2.17, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any

Phase: 6
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xae429570, priority=71, domain=svc-ib-tunnel-flow, deny=false
        hits=102, user_data=0x26000, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=172.18.2.17, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=Internet, output_ifc=any

Result:
input-interface: Internet
input-status: up
input-line-status: up
output-interface: ADMIN1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ms-5510#
ms-5510# show run all | in nat-control
ms-5510# show run all sysopt          
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp management
no sysopt noproxyarp Internet
no sysopt noproxyarp ADMIN1
no sysopt noproxyarp LABVOZ
ms-5510#

Cisco Employee

By different pool , I meant

By different pool , I meant any ip other than in the range of 172.18.0.0/24 , 172.18.1.0/24 and 172.18.3.0/24
 

If this does not help , run a continuous ping to any host behind the firewall / initiate some traffic from the vpn client for a specific IP.
Apply capture as
"capture capin interface <interface_name(internal host reachable)> match ip host <client_pool_ip> host <internal_host_ip>"  and "cap asp type asp-drop all"
 

Run show cap capin and show cap asp | in <client_pool_ip> and this should show if there are any packets getting dropped.

Regards,
Dinesh Moudgil

2676
Views
0
Helpful
3
Replies
CreatePlease to create content