I'm running 8.0.4 on two ASA's in active/passive mode with client-to-site IPSEC and SSL VPN tunneling active. This issue occurs whether I connect via IPSEC or SSLVPN.
I have a variety of machines pointing to ASA's as their default gateway which work fine using RDP or any other type of connection from the VPN clients. Other servers point to a Sonicwall firewall as their default gateway which has a route to the ASA's for the network the VPN clients sit on.
The ICMP redirect seems to work correctly as I see a route entry for the VPN client (pointing to the ASA's) in the servers route table that use the Sonicwalls as their default gateways.
From the VPN client, I can ping ALL servers but cannot connect via RDP or any other method to the server using the Sonicwall. I fired up a sniffer and see a RST coming from the clients back to the server and I'm not sure why. This is what Wireshark shows:
Acknowledgment number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set
Re: VPN Traffic Issue - Different Default Gateways
If you move the DG of a server to the ASA can you RDP in then? May help rule out the ASA as the problem. sounds like the traffic is coming in the ASA and trying to go out the Sonicwall. A work around solution may be to add a route statement to the server stating that the remote VPN client network IP scheme can be found at the ASA. cmd - route add [networkIP] mask [subnetmask] [ASAIPAddress]. IE. route add 10.1.1.0 mask 255.255.255.0 192.168.1.254....from a command prompt. If this resolved the issue then the problem is in the sonic wall. please rate if this helps
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :