We have some trouble with our ASA dropping certain traffic between AnyConnect clients and hosts on the other end of a s-2-s VPN connected to the ASA. All local parts of the network can be accessed without problems.
Packet tracer says it's dropped by an ACL but we cannot find that ACL:
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff312fe960, priority=11, domain=permit, deny=true
hits=25112, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
The problem occurs with AnyConnect only. If users use the old IPsec client they can access the network on the other end of the s-2-s tunnel just fine.
same-security-traffic permit intra-interface is enabled (VPN traffic goes out the same interface).
Any ideas what the problem might be?
No comments:
Post a Comment