I have a weird issue but I can't find a solution for it. I configured SSL VPN on the firewall and my goal was to allow VPN users access to two subnet (10.15.216.0 / 22 and 10.15.220.0 /22). Internal interface of the firewall is attached to 10.15.220.0 subnet. VPN client will be assigned IP address from firewall IP pool -- 10.15.200.0 /24
I already configured appropriate access list:
access-list split_vpn_users standard permit 10.15.220.0 255.255.252.0 access-list split_vpn_users standard permit 10.15.216.0 255.255.252.0
VPN is working when I need to access devices on 10.15.220.0 subnet but I can't get to any devices on 10.15.216.0 subnet. When I do packet tracer I have the following result:
Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (rpf-violated) Reverse-path verify failed
Any help in troubleshooting this issue would be greatly appreciated.
I see, what is happening here is that you are defining the packet tracer to go from the AnyConnect client IP address (10.15.200.0/24) that should be in the "Outside" and not in the "Inside" to go to the inside.
So the issue here are the following:
1. Make sure if the 10.15.216.0/24 is residing from the inside interface or from another interface.
2. If yes, You should do the packet tracer from the Inside interface or from the pertinent to the outside (IP POOL of the clients) but from the 10.15.216.0 to --> 10.15.200.0/24
3. Make sure there is a NAT exemption from the 10.15.216.0/24 to the IP POOL 10.15.200.0/24.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...