Hey all,Wondering if you guys have ever experienced this. I'm on day 2 of working w/ TAC Support on it and they seem stumped.
We have an HA pair of ASA 5516s that handle our site-to-site and AnyConnect VPNs into our network. Recently I decided to upgrade to FW version 9.13.1.12 from 9.13.(1) to patch the AnyConnect vulnerability that was seen out in the wild. And by doing this I uncovered an issue on our Primary pair member.. I say uncovered because I am newer here and cannot think of any time in which we have failed over, so I can't confidently say if this issue has always existed or is new w/ this firmware...
The issue is this: users can AnyConnect in succesfully. I tested w/ 9 users. 8 of them got in no problem, got IPs, traversed the network. #9 connects to AnyConnect, gets an IP, and suddenly can't do anything on the network. No traversing, DNS is broken, can't ping anything...
Troubleshooted the hell out of this w/ TAC and it's just that SOME IPs designated from that pool for some reason are not getting advertised in the Routers RIP.
For example: PC7 might get 172.16.0.4, PC8 gets 172.16.0.5, PC9 gets 172.16.0.6
ASA advertises RIP Route for 172.16.04, 172.16.0.5, but NOTHING for 172.16.0.6
If we destroy the whole Group + Pool and just start w/ a Pool w/ 1 address, 172.16.0.6, issue still occurs...
Scheduled to get on with yet another tech. One wanted to try a different FW version, but others from the VPN team said they want to keep looking first because there are no known bugs w/ this FW. Ever see anything like this?
No comments:
Post a Comment