02-11-2014 10:56 AM - edited 02-21-2020 07:29 PM
ASA 5505, software version 9.1(2)
Clients are using AnyConnect Secure Mobility Client v3.1.03103.
Clients have no issues connecting to VPN, but they use a terminal emulator program to access some online systems and it will not connect over VPN.
The terminal emulator uses SSH to establish connectivity.
On the local network, the SSH connection happens without any issue.
Over VPN through AnyConnect, I cannot see the traffic via WireShark and I get network timeouts/disconnect from the terminal emulator.
Under the ACL Manager, I have one for the outside_access_in that permits SSH from the RemoteHost to any, so I am not sure where to go with this.
If anyone has any ideas on what to check it would be greatly appreciated.
02-11-2014 02:36 PM
You should not normally need the outside_access_in ACL with a remote access VPN as the default is to bypass access-lists for VPN connections.
Is your conenction profile routing the networks (where the servers live) properly to your client?
02-12-2014 10:32 AM
Marvin,
You are correct, "Bypass interface access lists for inbounds VPN sessions" is enabled.
Connection profile appears to be correct.
02-12-2014 10:46 AM
As mentioned before the access-group is not required.
Now:
1- Check split-tunneling.
2- Check NAT rules.
3- Place packet-capture on the inside interface of the ASA (if the above is correct).
4- Check ASP drops.
5- Run a packet-tracer.
With this troubleshooting you should have a better idea of what the issue is.
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide