RE: OT: Remote Access VPN 8.4(2)+

Thanks for looking, up for a maint window and look what I find from the bug feed:

Bug Id: CSCty32412
Headline: ASA: Anyconnect u-turn to ipsec tunnel fails after upgrade to 8.4.3.1
Description: Symptom: ASA after a upgrade to 8.4.3.1 or later, anyconnect traffic that will uturn (hairpin) to a ipsec lan to lan tunnel is dropped. The show asp drop shows the following reason: Expired VPN context (vpn-context-expired) No log message is generated for the drops. Conditions: Anyconnect client uturns into a ipsec lan to lan tunnel. Workaround: 1) downgrade to 8.4.3 2) Use ipsec vpn client as a temporary workaround
Status: Assigned
Last Modified date: 2012-03-25 18:09:13.0
Url: https://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCty32412

Listed as a sev1.

-ryan

-----Original Message-----
From: Jay McMickle [mailto:jay.mcmickle_at_yahoo.com]
Sent: Sunday, March 25, 2012 4:56 PM
To: Ryan West
Cc: CCIE Lab
Subject: Re: OT: Remote Access VPN 8.4(2)+

I'm not in front of an ASA, but I don't believe you need the out,out nat. That's mainly for DNS rewrite.

Have you applied "permit same-security traffic intra"? If the hairpin VPN was working prior to the upgrade, I doubt it's that. Next, I thought of proxy-arp, but you mentioned that's been done. The only other item could be your 8.4 equivalent of no-nat.

What does your nat statement look like for the VPN subnets?

Regards,
Jay McMickle- CCNP,CCSP,CCDP
Sent from iJay

On Mar 25, 2012, at 2:10 PM, Ryan West <rwest_at_zyedge.com> wrote:

> Before I go the TAC route, I'm wondering if anyone has come across this one. I was running 8.4(1)11 and had fully migrated all NAT rules to working 8.3+ versions. After the upgrade to 8.4(3), I ran into issues with proxy-arp, which have been solved. Remote access VPNs with destinations across site to site tunnels is where I'm stuck. A twice nat (outside,outside) makes sense to me, but does not work. The previous method of no nat that translates into a twice nat is also failing.
>
> Has anyone come across this type of config and can post a sanitized snippet for the twice nat?
>
> For illustration, let's say my ip local pool is 10.1.1.0/24 and the fw has a site to site tunnel to 10.1.2.0/24. Assume that I have same-security permit intra-interface already configure as well. I'll post configs later.
>
> Thanks!
>
> -ryan
>
> Sent from handheld
>
>
> Blogs and organic groups at http://www.ccie.net
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Mar 26 2012 - 08:09:16 ART