AnyConnect VPN Subnet Can't Communicate w/ LAN DC

nathandodson
Just browsing

AnyConnect VPN Subnet Can't Communicate w/ LAN DC

This might be a greater structural issue, but I am having trouble getting VPN clients to see an internal network resource, our domain controller. We are in the middle of an ISP transition (new public IPs) so the topology is kinda strange.

 

Essentially, we have our old network which was a flat, non-segmented network on subnet 192.1.1.0/24. This network contains resources that need to be accessible while I transition all of the servers and clients over to the new network.

 

The new network, headed by an MX85, has multiple VLANs setup, as well as StS VPN and the AnyConnect client VPN. For testing, I set up a VLAN (99) with a matching subnet to the old network, 192.1.1.0/24 with the MX assigned an out-of-use IP 192.1.1.240 . There are static routes setup so that traffic in the old network can access MX LANs via the 240 gateway. The corporate client VLAN (20) is 192.100.20.0/24. There is a firewall rule allowing traffic between the client subnet and the "Old Network" VLAN.

 

This seems to work well, and client VLAN traffic can access network resources from the old network. This includes resolution of DNS, which is handled by a server at 192.1.1.13, our domain controller, and is neccessary for RDP and other functions.

 

However, when it comes to the VPN, there are odd quirks. I can't ping the DNS server, although it seems like I can access other resources via ICMP or even through normal expected methods, such as logging into a web portal. In fact, all services except the domain controller are accessible afaict. I don't know exactly what to make of this. When I ping the DC, I get an immediate "General Failure" error.

 

I also cannot see ICMP traffic from the client VPN IP to the DC when I do a packet capture. I can see other traffic, though.

 

I'm relatively inexperienced when it comes to networking; I'm just a one-man team right now so any ideas to try would be appreciated. It's worth noting that eventually will be sunsetting the old infrastructure. This is an interim step to maintain availability during an ISP transition.

EDIT:
The VPN is not in split tunneling mode. All client traffic is passed through.

2 Replies 2
Mloraditch
A model citizen

Are you routing your new client vpn subnet to the MXs from the old network? If things are working internally fine crossing VLANs that would be my suspicion from a network configuration standpoint. If you have that and it's still not working its possible the active default gateway on the old subnet or the server itself have firewall rules not allowing the traffic

nathandodson
Just browsing

Yep I have a static route set up on the old subnet's primary router to point traffic back to the MX. I will double check the firewall rules but I'm pretty sure there isn't anything that would be blocking the traffic

Get notified when there are additional replies to this discussion.