Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

vpn-filter permit any any blocks all AnyConnect traffic

I am using AnyConnect with Radius on a asa5510.  Radius defines which group-policy should apply to each AnyConnect client.

I'd like to use a different vpn-filter for each group-policy group.  With no vpn-filter defined, AnyConnect clients can communicate with inside networks and outside (via nat).  However, defining any vpn-filter asa group-policy attribute seems to drop all connectivity for AnyConnect client tunnels in that group.  Even something as simple as:

access-list FILTER1 extended permit ip any any

group-policy GROUP1 attributes

vpn-filter value FILTER1 

...seems to drop all traffic.  Deleting the single vpn-filter line restores connectivity. 

I'm unsure how to packet-trace traffic entering via AnyConnect to see where the problem lies. 

-Bradley

4 REPLIES
Super Bronze

vpn-filter permit any any blocks all AnyConnect traffic

Did you reconnect the AnyConnect vpn after the changes? or you stay connected to the AnyConnect after the changes?

vpn-filter permit any any blocks all AnyConnect traffic

Thanks, Jennifer:  yes, I am bringing-up a new AnyConnect session after making the changes, to test.  Is there a way to do a "packet trace" which shows packet flow through a vpn-filter?

Super Bronze

vpn-filter permit any any blocks all AnyConnect traffic

what version of ASA and ANyConnect are you running?

vpn-filter permit any any blocks all AnyConnect traffic

Hardware:   ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

This platform has an ASA 5510 Security Plus license.

System image file is "disk0:/asa825-k8.bin"

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

My AnyConnect client is version 2.5.0217

1791
Views
0
Helpful
4
Replies