Inconsistent connectivity via SSL VPN.

Unanswered Question
Feb 5th, 2007

I am a novice at Cisco hardware and have been trying to troubleshoot our VPN issues for the last few weeks.

We had a vendor perform a vanilla install the following setup for our network:

- Cisco 2800 Perimeter Router

- Cisco ASA

- a clustered set of Cisco 3500 switches that were already in place, no Virtual networks, no ACL's.

- Win2K3 domain

- Exchange 2K3

We went with the SSL VPN and hardware token for our initial VPN setup. There are no rules setup on the VPN, end users have full access to the network (we plan to lock it down once we get things running smoothly).

When an end user connects through the VPN, the SSL VPN client installs and appears to be functioning correctly. However, some services are not available through the network, or sometimes work, sometimes do not.

For instance, I can access windows shares (though it takes a long time) and remote desktop into our servers. We also have an Enterprise application that uses SQL Server and functions correctly.

However, some applications do not work. Our Outlook clients do not see the Exchange server and some of our Enterprise applications that use SQL Server either do not work or take up to 5 minutes to open.

All of our systems work perfectly inside the perimeter network.

We have been left in the lurch by our vendor who installed our systems then bailed out when we asked them to help troubleshoot.

On our own, we found that if the Cisco ipsec client is installed, the SSL VPN works perfectly! All services are available and are very fast! This is the case even thought the ipsec client isn't running, in fact, its not even configured to run properly on the ASA.

We don't want to have to install the ipsec client on all our mobile systems so that is not an ideal solution.

Anyone with ideas about what might be at the root of our SSL VPN problems?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mwhite004 Mon, 03/05/2007 - 11:41

We have found out what the issue was and have a temporary fix until we can get to the root of the problem.

Seems that Kerberos UDP packets are getting blocked somewhere along the line. By changing a registry setting on the remote computer we can force Kerberos to transmit over TCP instead of UDP and this clears up all of our issues.

http://support.microsoft.com/kb/244474

Next step is to figure out where UPD is getting dropped so we don't need to have this patch. We think its the ASA.

rduke Wed, 03/07/2007 - 07:44

We had the same problem on an IOS firewall when using SSL VPN client. The registry change fixed it for us.

Randy

ishah Mon, 04/09/2007 - 15:05

Hi guys,

There is a bug in the SSL VPN client with how it processes the packets.

We found this out and TAC reproduced it. Apparently the fix won't be until the ASA 8.0 code comes out

That will mean an updated client that should probaly solve your problem

mwhite004 Mon, 04/09/2007 - 16:28

Thanks for the update. Hopefully once the fix is in place we can remove the registry edit from all our PC's.

Actions

This Discussion