VPN 3000 and Unidirectional traffic behind firewall

Unanswered Question
Apr 30th, 2007
User Badges:

Here is a strange one .. I have a VPN3030 Concentrator (Version 4.1.4) to which I am able to connect without issue. The problem is that traffic is flowing in only 1 direction (according to the client - version 4.0.3C) it flows in the transmit to the concentrator, but not the receive. My client is sitting behind a PIX 501. I have opened everything up on the PIX and it still behaves the same way. Now, when I bypass the PIX and run the PPPoE client on my laptop, it connects and traffic flows in both directions. I am troubleshooting this for a customer who is not using PIX everywhere - they have several Watchguard firewalls deployed and they behave in the same manner. One point of note is that this problem does not happen to everyone .. only a handful of users with nothing in common except for the concentrator.

If anyone has seen this or has any insight/suggestions, it would be greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Mon, 04/30/2007 - 12:42
User Badges:
  • Green, 3000 points or more

Maybe a nat-traversal problem?

pstuder Mon, 04/30/2007 - 17:32
User Badges:

Well, we looked at that initially and when we enabled NAT-T on the concentrator, I was not able to connect at all. My firewall has "fixup protocol ike-esp" configured as well as "isakmp nat-traversal 20". According to the concentrator, phase 2 completes and the tunnel is up ... just not passing traffic for some reason.

pstuder Tue, 05/01/2007 - 12:13
User Badges:

Found the issue .. the firewall sitting in front of the concentrator did not have UDP 4500 open. Once we opened that, amazing ... it worked. RTFI.


This Discussion