Wireless Access

Reply
MVP
Posts: 385
Registered: ‎05-09-2013

Aruba 7210 - Cisco AnyConnect issue

Hi everybody,

 

I have a customer who utilizes Cisco's VPN "AnyConnect". Currently they allow vendors to use the VPN on the guest network which is only captive portal username/login. They are denying internal networks, but using "allowall" below the deny in the firewall rules. Users can successfully connect to the guest network and access the internet, but they cannot launch their VPN client.

 

Could the deny-internal-network rule be causing the issue?

 

If not are there additional firewall rules (ports to allow, addresses to allow)

 

I also tried adding a rule to allow the specific IP address for the user in the Guest role for the VPN server 205.73.16.5 255.255.255.0, but I received an error stating "invalid ipaddress/subnet mask" 

 

Any ideas?

 

Thanks for the help!


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Aruba 7210 - Cisco AnyConnect issue

I would use "show datapath session table <ip address of that client>" to see what gets denied.  It is possible that the VPN client is using an internal DNS server or something.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 516
Registered: ‎11-04-2011

Re: Aruba 7210 - Cisco AnyConnect issue

For the access list part, the IP 205.73.16.5 does indeed not match the subnet 255.255.255.0. Use 205.73.16.0 instead to match that subnet.
--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: