Unable to establish TCP/IP sessions to some systems over AnyConnect VPN
While the IPSec VPN works completely fine, the AnyConnect VPN has issues establishing TCP/IP sessions with some of the servers on the network.
When connected using the SLL based AnyConenct VPN client, I am able to ping all the systems. However, I can only net view \\hostname into a subset of my systems. The issue is not related to NetBIOS name resolution. The WINS is working fine. I am unable to even net view \\IP_Address. Also, note that IPSec clients work fine and thus I am assuming it is the SSL protocol that is being filtered out.
The strage part is that I can connect to a different set of servers with each VPN session. It isn't always the same servers that work or don't work. Since the problem is seen with different systems with different VPN sessions, it is hard to diagnose.
Here is how far I am -
Packet capturing at the firewall (ASA 5510), Core switches (Catalyst 4500) and the servers show that the SSL packets are only going one way. There is nothing coming the other way. The switches are configured to redirect all traffic for all VLANs to the WAAS. This seems to be an issue with the WAAS WAE device. When I remove the 'ip wccp redirect' commands for all the VLANs, the issue is resolved. I do not see any problems with my VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...