Wireless Access


Aruba 7210 - Cisco AnyConnect issue

Hi everybody,


I have a customer who utilizes Cisco's VPN "AnyConnect". Currently they allow vendors to use the VPN on the guest network which is only captive portal username/login. They are denying internal networks, but using "allowall" below the deny in the firewall rules. Users can successfully connect to the guest network and access the internet, but they cannot launch their VPN client.


Could the deny-internal-network rule be causing the issue?


If not are there additional firewall rules (ports to allow, addresses to allow)


I also tried adding a rule to allow the specific IP address for the user in the Guest role for the VPN server, but I received an error stating "invalid ipaddress/subnet mask" 


Any ideas?


Thanks for the help!

Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: Aruba 7210 - Cisco AnyConnect issue

I would use "show datapath session table <ip address of that client>" to see what gets denied.  It is possible that the VPN client is using an internal DNS server or something.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Aruba 7210 - Cisco AnyConnect issue

For the access list part, the IP does indeed not match the subnet Use instead to match that subnet.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: