Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
272
Views
0
Helpful
3
Replies

No Audio between VPN clients

mike
Level 1
Level 1

‎03-15-2016 05:55 PM

Hi all,

First off - I am no security expert  with security products (barely literate at the subject) but I'm running into an issue with a small group of teleworkers that cannot call or video conference with each other. As I was troubleshooting I noticed that none of my vpn users can ping any other vpn users, but can ping the internal network. I'm sure it is a NAT exemption issue, but I cannot narrow it down. I've been through a dozen posts with similar symptoms, but nothing has helped as of yet. Can someone take a look at the attached config and help me identify what I'm missing, I'd greatly appreciate it.

Thanks folks,

MP

Labels:
Preview file
12 KB
0 Helpful
3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-15-2016 06:08 PM

Hello Mike,

I see two connection profile here:
tunnel-group PCS_VPN type remote-access
tunnel-group SSL type remote-access


Can you please confirm on which specific tunnel-group the user connects out of the above ?

Additionally , I see the pool IPs to be 172.20.1.0 and 172.20.2.0 range whereas the inside interface IP is 172.20.1.1 , that is in the same range. Just a suggestion that this kind of setup creates issues so it is suggested that you use a different subnet fo pool range.

Lastly, if you could confirm which IP the VPN users are not able to connect for reference, that will be helpful


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

mike
Level 1
Level 1
In response to Dinesh Moudgil

‎03-15-2016 06:22 PM

Thanks for the reply Dinesh!

The tunnel-group PCS_VPN is what the users are connecting in over. The SSL was for some remote phones that are no longer in use. 

I appreciate the advise about the different IP pools for the VPN users, i was trying to keep it simple since I'm so unfamiliar, so it wouldn't surprise me if it caused some issues. I will look into changing the VPN ranges in the future.

Also - i should have provided this info in the original post, here are the subnet breakdown.

External - 192.168.1.X

Internal Data subnet - 172.20.1.X

Internal Voice subnet - 172.20.2.X

Thanks,

Mike P.

0 Helpful

mike
Level 1
Level 1
In response to mike

‎03-16-2016 06:45 PM

Just to close the loop on this. I was tinkering around this evening and found the following command that corrected this.

"same-security-traffic permit intra-interface"

It appears that the ASA5506 doesn't like traffic entering and exiting the same interface without that command.

Thanks!

Mike P.

0 Helpful
Customers Also Viewed These Support Documents