Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
305
Views
0
Helpful
6
Replies

VPN client can't pass traffic

paulcian_2
Level 1
Level 1

‎06-14-2007 07:15 PM - edited ‎02-21-2020 03:06 PM

VPN 4.x Client (IPSEC/UDP) can connect to an IOS router 12.4 and authenticate successfully but can't ping and telnet to devices.

This configuration was fully tested in a simulated environment and worked using actual ip addresses and devices to be deployed in production. The device was moved into production and now the VPN client cannot even contact the IOS VPN peer when using IPSEC/UDP, however they can connect and authenticate using only IPSEC but still cannot pass traffic.

I went back to the simulated environment and it works fine. I thought maybe MTU or NAT-T but can't seem to get it working.

Any ideas??

Labels:
0 Helpful
6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

‎06-14-2007 11:05 PM

Hi

Is there a device between your client and the router that does PAT on the traffic. If so this might be the difference between your test setup and your prod one.

If this is the case you will need to enable NAT-T - have you already tried this ?

Jon

0 Helpful

paulcian_2
Level 1
Level 1
In response to Jon Marshall

‎06-15-2007 03:34 AM

In the lab I have the VPN client behind a Linksys router and it does work with IPSEC/UDP.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to paulcian_2

‎06-15-2007 04:04 AM

Is the linksys router doing port address translation. The symptom you describe in your prod environment is typical of a nat traversal issue ie you can connect but no traffic passes.

The other thing to check would be routing. Do the destination machines know how to get back to the VPN clients.

Jon

0 Helpful

paulcian_2
Level 1
Level 1
In response to Jon Marshall

‎06-15-2007 04:43 AM

I just put the Lab IOS router device on an Internet connection and from a VPN Client that was dialed up to another ISP I was able to connect and pass traffic. As soon as I try

the production router still no good. Any chance it is an ISP issue?

Thanks for your responses

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to paulcian_2

‎06-15-2007 05:15 AM

It is unlikely to be the ISP as they don't usually block IPSEC traffic.

Do you see any IPSEC connection attempts on your prod router when you try and connect.

Could you send copy of both configs of lab and prod router if possible (minus any sensitive information).

Jon

0 Helpful

paulcian_2
Level 1
Level 1
In response to Jon Marshall

‎06-15-2007 03:31 PM

After some debugs it turns out that UDP port 4500 needed to opened.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents