No Connectivity to Auto-VPN Peer networks when connected to Anyconnect Client VPN

SOLVED
MFisher
Here to help

No Connectivity to Auto-VPN Peer networks when connected to Anyconnect Client VPN

We have a small distributed network with 8 or so Auto-VPN peers connecting to our main Hub.  On our Main Hub, we recently implemented the "Security & SD-WAN > Client VPN > AnyConnect Settings".  We will need connectivity to the peer subnets at the various other sites that terminate using the Auto-VPN to this hub.

 

The subnet used by the AnyConnect client VPN is "enabled" in the VPN settings "Security & SD-WAN > Site to Site VPN".  The other Auto-VPN peers are also "enabled" there.  I also added an outbound firewall rule to allow the Client AnyConnect VPN subnet source to the destination Auto-VPN peer subnets.

 

I can see there are routes to the Auto-VPN peer subnets in the routing table, as well as the Client AnyConnect VPN.

 

Despite all of this, we do not have connectivity to the Auto-VPN peer subnets while connected to the Client AnyConnect VPN.

 

Any advice would be appreciated, thanks

1 ACCEPTED SOLUTION
MFisher
Here to help

I figured it out, the remote subnets that terminate at the hub were not specified in the "site to site out-bound firewall" rules.  Specifying an allow from our AnyConnect subnet to those subnets corrected the issue.  

 

I had mistakenly added that same rule under the standard outbound firewall rules.

View solution in original post

4 REPLIES 4
KarstenI
Kind of a big deal
Kind of a big deal

Are the external subnets part of your Split-Tunneling definition?

They are not, the split tunnel settings appear to state that it pushes that routing to the client and would "send all client traffic through the VPN except traffic to those subnets"

 

But I would want the traffic to those subnets to traverse the VPN since its the only way to get to those subnets hosted in the Auto-VPN.  Correct?

KarstenI
Kind of a big deal
Kind of a big deal

Yes, these subnets need to be included into the VPN traffic.

MFisher
Here to help

I figured it out, the remote subnets that terminate at the hub were not specified in the "site to site out-bound firewall" rules.  Specifying an allow from our AnyConnect subnet to those subnets corrected the issue.  

 

I had mistakenly added that same rule under the standard outbound firewall rules.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels