Cisco AnyConnect VPN Fails – Suspected NAT/Asymmetric Routing Issue

Started by hibbeldi, March 10, 2025, 08:11:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 10, 2025, 08:11:05 PM Last Edit: March 10, 2025, 08:13:58 PM by hibbeldi
Hello everyone,

I am having trouble connecting to my firm's network using the Cisco AnyConnect VPN client on my laptop, which is connected directly to one of several interfaces on my OPNsense system.

The Situation:
Laptop with Cisco AnyConnect: The VPN client does not establish a connection.

Other VPN (Baracuda): On another computer, Baracuda VPN works fine.
Firewall Testing: I temporarily set all firewall rules to "any/any" (i.e. allow all traffic) and internet access works normally.
NAT Settings: I have tried both automatic and hybrid outbound NAT modes without success (with static ports and without).

Suspected Issue: Despite the open firewall, the Cisco AnyConnect connection still fails. I suspect that a NAT misconfiguration or asymmetric routing (where return traffic does not follow the same path as outbound traffic) is causing state/NAT translation mismatches (with floating rules I don't geht blocks of TCP Traffic anymore but no connection as well)

Request for Help:
Has anyone experienced similar issues with Cisco AnyConnect in an OPNsense environment?

What adjustments to NAT or routing settings might resolve this?
Are there additional logs or tests that could help pinpoint the problem?
Any tips on handling potential asymmetric routing issues in multi-interface setups?

Wy WAN is from a fibre modem (ppoe) , just one wan, no fancy stuff only a buch of VLANS. The laptop is conneted with lan port directly on the opnsense (untagged).


Thanks in advance for your assistance!
March 14, 2025, 11:02:03 PM #1
Quote from: hibbeldi on March 10, 2025, 08:11:05 PMLaptop with Cisco AnyConnect: The VPN client does not establish a connection.
What do you get exactly, when trying to connect?
Does it run into a timeout?

There is nothing special needed concerning routing or natting. The client has just to use the default route.

Use the port checker on OPNsense to verify if you can even reach the server.
Today at 01:55:55 AM #2 Last Edit: Today at 02:01:15 AM by jdoyle
Were you able to solve this? I'm having the same issue.

On my wife's, there's a window that pops up where it's supposed to handle credentials, but that window just stays white and times out, and eventually the whole connection times out. I had her try it on her mobile hotspot, and it worked perfectly.
Print
Go Up Pages1
User actions