Anyconnect VPN to Cisco ESR behind MAX BR1 Issue

Hello there,

I’m having an issue establishing a IPsec IKEv2 connection using Anyconnect between a client and our Anyconnect server in a Cisco ESR located behind a Palo Alto VM firewall behind a MAX BR1.

I have Public static IP for both my client and the MAX BR1.

I have the following:

MAX BR1 as front, using cellular WAN with public static IP address (let’s say XXX.XXX.XXX.XXX)
The Peplink is directly connected to a virtualized Palo Alto Firewall on a /30 subnet.
The firewall is then directly linked to our Cisco ESR with Anyconnect on a /30 subnet.

If the client is using the WiFi LAN from the MAX BR1, we have no issue. The VPN goes up, everything is fine. So we don’t have any firewall policies issue with the Palo Alto at that point.

The issue occurs when we try to connect from the WAN. It looks like the first handshakes are preempted or denied by the Peplink before we can even go to the LAN (it’s not going through).

The peplink is configured as follow:

  • We are routing everything to the firewall interface via a VLAN.
  • Default Outbound Policies
  • TLS SSL, SSL redirection, DTLS, IPSec and IKEv2 ports are redirected toward our router interface IP address (the one facing the firewall where we are listening for VPN connections)
  • NAT Mapping to that same router interface IP address.
  • No Peplink access-rules (everything is allowed)
  • No content blocking
  • No Remote User Access

We have checked a couple of things first:

  • WAN IP address is reachable from the ESR port (looks like there is no routing issue).
  • I can ping each WAN IP Adress from the internet.
  • Then we have run some test without the Palo Alto firewall with the same results…

We seems unable to access the LAN via the WAN when trying to authenticate, as if the VPN connection wasn’t forwarded.

Is there a solution to allow the VPN connection to pass the peplink and then go to the server on the LAN ?

Best Regards.