VPN client can't pass traffic

Unanswered Question
Jun 14th, 2007
User Badges:

VPN 4.x Client (IPSEC/UDP) can connect to an IOS router 12.4 and authenticate successfully but can't ping and telnet to devices.


This configuration was fully tested in a simulated environment and worked using actual ip addresses and devices to be deployed in production. The device was moved into production and now the VPN client cannot even contact the IOS VPN peer when using IPSEC/UDP, however they can connect and authenticate using only IPSEC but still cannot pass traffic.


I went back to the simulated environment and it works fine. I thought maybe MTU or NAT-T but can't seem to get it working.



Any ideas??

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 06/14/2007 - 23:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Is there a device between your client and the router that does PAT on the traffic. If so this might be the difference between your test setup and your prod one.


If this is the case you will need to enable NAT-T - have you already tried this ?


Jon

paulcian_2 Fri, 06/15/2007 - 03:34
User Badges:

In the lab I have the VPN client behind a Linksys router and it does work with IPSEC/UDP.

Jon Marshall Fri, 06/15/2007 - 04:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Is the linksys router doing port address translation. The symptom you describe in your prod environment is typical of a nat traversal issue ie you can connect but no traffic passes.


The other thing to check would be routing. Do the destination machines know how to get back to the VPN clients.


Jon

paulcian_2 Fri, 06/15/2007 - 04:43
User Badges:

I just put the Lab IOS router device on an Internet connection and from a VPN Client that was dialed up to another ISP I was able to connect and pass traffic. As soon as I try

the production router still no good. Any chance it is an ISP issue?


Thanks for your responses

Jon Marshall Fri, 06/15/2007 - 05:15
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is unlikely to be the ISP as they don't usually block IPSEC traffic.


Do you see any IPSEC connection attempts on your prod router when you try and connect.


Could you send copy of both configs of lab and prod router if possible (minus any sensitive information).


Jon

paulcian_2 Fri, 06/15/2007 - 15:31
User Badges:

After some debugs it turns out that UDP port 4500 needed to opened.

Actions

This Discussion