02-05-2007 04:11 PM - edited 02-21-2020 02:51 PM
I am a novice at Cisco hardware and have been trying to troubleshoot our VPN issues for the last few weeks.
We had a vendor perform a vanilla install the following setup for our network:
- Cisco 2800 Perimeter Router
- Cisco ASA
- a clustered set of Cisco 3500 switches that were already in place, no Virtual networks, no ACL's.
- Win2K3 domain
- Exchange 2K3
We went with the SSL VPN and hardware token for our initial VPN setup. There are no rules setup on the VPN, end users have full access to the network (we plan to lock it down once we get things running smoothly).
When an end user connects through the VPN, the SSL VPN client installs and appears to be functioning correctly. However, some services are not available through the network, or sometimes work, sometimes do not.
For instance, I can access windows shares (though it takes a long time) and remote desktop into our servers. We also have an Enterprise application that uses SQL Server and functions correctly.
However, some applications do not work. Our Outlook clients do not see the Exchange server and some of our Enterprise applications that use SQL Server either do not work or take up to 5 minutes to open.
All of our systems work perfectly inside the perimeter network.
We have been left in the lurch by our vendor who installed our systems then bailed out when we asked them to help troubleshoot.
On our own, we found that if the Cisco ipsec client is installed, the SSL VPN works perfectly! All services are available and are very fast! This is the case even thought the ipsec client isn't running, in fact, its not even configured to run properly on the ASA.
We don't want to have to install the ipsec client on all our mobile systems so that is not an ideal solution.
Anyone with ideas about what might be at the root of our SSL VPN problems?
02-09-2007 11:00 AM
which version IOS you are using in ASA? , Check this bug-id:CSCse29700.
Try these link
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/svc.htm
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
03-05-2007 11:41 AM
We have found out what the issue was and have a temporary fix until we can get to the root of the problem.
Seems that Kerberos UDP packets are getting blocked somewhere along the line. By changing a registry setting on the remote computer we can force Kerberos to transmit over TCP instead of UDP and this clears up all of our issues.
http://support.microsoft.com/kb/244474
Next step is to figure out where UPD is getting dropped so we don't need to have this patch. We think its the ASA.
03-07-2007 07:44 AM
We had the same problem on an IOS firewall when using SSL VPN client. The registry change fixed it for us.
Randy
04-09-2007 03:05 PM
Hi guys,
There is a bug in the SSL VPN client with how it processes the packets.
We found this out and TAC reproduced it. Apparently the fix won't be until the ASA 8.0 code comes out
That will mean an updated client that should probaly solve your problem
04-09-2007 04:28 PM
Thanks for the update. Hopefully once the fix is in place we can remove the registry edit from all our PC's.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: