Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Remote access VPN is working, but packet-tracer is showing drop in webvpn-svc

Hi expert,

I recently noticed a strange thing that my anyconnect vpn is working but packet-tracer is always showing WEBVPN-SVC result is DROP.

If I change to another unused ip address in the VPN pool, then packet-tracer showing allowed, but in fact, the PC successfully connected is always able to reach the webserver.

//client successfully dial in VPN, obtain 3.3.3.1, packet-tracer using this IP shows:

ASA5510# packet-tracer input inside tcp 3.3.3.1 1025 1.1.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: WEBVPN-SVC

Subtype: in

Result: DROP

Config:

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

//If I use another ip address in the VPN pool, (not assigned yet), then it showing allow.

PSS-ASA5510# packet-tracer input inside tcp 3.3.3.2 1025 1.1.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   1.1.1.0         255.255.255.252 dmz

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 30842, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: dmz

output-status: up

output-line-status: up

Action: allow

From VPN client PC, 1.1.1.1 port 80 is reachable, but I'm confused by the fact that packet-tracer is showing differently.

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

You need to use an IP that

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer

Pete

3 REPLIES
Community Member

Remote access VPN is working, but packet-tracer is showing drop

anyone?

Community Member

You need to use an IP that

You need to use an IP that not already allocated to a client. 

See

Testing AnyConnect With Packet Tracer

Pete

Hall of Fame Super Silver

Nice one Pete!

Nice one Pete!

Old thread but still a worthwhile contribution.

1571
Views
5
Helpful
3
Replies
CreatePlease to create content