Can send request through AnyConnect, but can't receive response through AnyConnect

0

I am a web developer trying to have an issue resolved that I believe is either hardware or networking issue, but all sides of communication indicate they have checked what they need to, yet it still has not been resolved.

We have a connection setup using AnyConnect on Computer A. Company B provides profile for AnyConnect. Company A turns on Cisco AnyConnect on Computer A and is assigned ip 11.10.26.10. Company A sends a request to Company B. Company B receives request. Company B sends a response to service on http://11.10.26.10/Service.asmx, which is Company A's service on Computer A. However, Company B gets endpoint doesn't exist and can't connect to remote computer.

Pinging 11.10.26.10 from Computer A results in General Failure.

Company A says they see traceroutes from wireshark to Computer A from Company B.

Company C is working just fine, however, Company C uses the old Cisco VPN Client. Pinging assigned IP address results in reply messages. (EDIT) Company C is also connected via Company B's old domain.

Firewalls/Antivirus on Computer A have been turned off.

Company B provided Network Firewall rules, which mainly looked to be outgoing rules.

(EDIT) Using AnyConnect with same credentials on other machines outside Company A network results in the same "General Failure" Ping.

(EDIT) Capture of request and response from Company B VPN/FW appliance shows that request goes through, but response back to Computer A results in Resets.

(EDIT) Route prints from Computer A show there could be differences between Company C and Company A. These have been sent to Company B to review.

Any help would be appreciated, and I can provide more information where possible. Could this be related to split-tunneling? What areas could I have them check?

jmcclure

Posted 2019-07-29T19:12:58.097

Reputation: 1

Answers

0

This is most likely NOT a hardware issue. It sounds more like a networking problem. Most likely a firewall. When executing a ping and you get a general failure, this normally happens when the network adapter is disabled / not available (probably not your issue), the adapter is available but Computer B does not have a route to the destination (Computer A), or the HOST BASED firewall (in this case on Computer B) is preventing outgoing traffic to the destination (I bet this is it).

If Computer B is running windows, execute a "route print" on command prompt or powershell and see if there is a network that encompasses the IP addresses for Computer A (destination of 0.0.0.0 and netmask of 0.0.0.0 encompasses any address). If there is no route to Computer A's network, not even a quad-zeros route, this is your issue. This would be a simple fix with "route add ddd.ddd.ddd.ddd mask sss.sss.sss.sss nnn.nnn.nnn.nnn metric # -p" Where the "d" is the destination network (ie. 11.10.26.0) or single IP (11.10.26.10), "s" is the subnet mask for the network (255.255.255.0) or single IP (255.255.255.255), "n" is the next hop IP address (or gateway that knows about the destination network), and # is the desired metric for the route (compare metrics from the route print output... lower metric is preferred first). If Computer B is Linux based, depending on the flavor, the "ip route" or "ip route show" should show you the routes. To modify them, follow the instruction in https://www.cyberciti.biz/tips/configuring-static-routes-in-debian-or-red-hat-linux-systems.html

No admin that configures a network based or host based firewall likes to admit that the firewall he/she configured is blocking certain traffic. This is probably the issue since Computer C has no problems connecting. This means that Computer B is probably blocking certain outgoing traffic to Computer A's network or unique IP. Probably the easiest way to 100% know that it's the firewall is to look at the firewall log (if the admin configured logging). You can also add a rule that matches and allows Computer A's network/IP at the top of the firewall rule list on ports 500, 50, or whichever ports you are using to connect using AnyConnect. I would also include ICMP for testing purposes. Another diagnostic step you could take is to monitor response traffic on a device between Computer B and Computer A. You should see Computer A talking to Computer B and you should also see Computer B talking back to Computer A on ALL ports that Computer A is requesting. Most security guys allow only the minimum amount of traffic needed for endpoints to properly communicate (and they should always keep this mindset). However, there are times when this mindset takes a toll on the Availability portion of the CIA triad. Sometimes security folks forget to include one or two firewall rules here and there. No admin is perfect. Please let us know what the fix is once you figure it out.

Eddie Duran

Posted 2019-07-29T19:12:58.097

Reputation: 1

Hey, thanks for the response. I will go through the information and pass on to relevant parties. I appreciate your time, and will get back with you once we have gone through the information. – jmcclure – 2019-07-30T12:36:08.740

Hey, waiting on Company B to be available to do a route print from there side, but I have added some additional information to the post. – jmcclure – 2019-08-01T16:39:40.677

Asked: 2019-07-29T19:12:58.097

Viewed: 73 times

Active: 2019-08-01T16:46:00.847