12-12-2007 12:30 PM - edited 02-21-2020 03:25 PM
Cisco VPN Client 5.0.02.0090
Connectiing to ASA5520
Using NTAuth to authenticate.
The Clients are using Sierra Wireless 595 aircards. Attached is my ASA running config. The tunnel Group PDClient is reporting the intermentent problem. I have also had the problem here and there. The default gateway on the client disappears. I do not see anything on the ASA I see the client as still connected. I push a proxy setting from the ASA so that all traffic comes into our web filtering St.Bernard.
12-12-2007 01:23 PM
Hi Mis
Please try adding the following configuration
no access-list inside_nat0_outbound extended permit ip 10.8.202.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 object-group PDClient
access-list PDClient_Split permit ip 192.168.0.0 255.255.0.0 object-group PDClient
group-policy PDClient attributes
no split-tunnel-policy tunnelall
no split-tunnel-network-list none
split-tunnel-policy tunnelspecified
split-tunnel-network-list PDClient_Split
Regards
12-13-2007 06:16 AM
I did the above and of course it broke some applications going to non 192.168.0.0 /ip's.
So I did add example 10.8.0.0/16 to the permit. Now I am unable to use VNC or even ping from 192.168.1.0 Network.
From the laptop I can ping 192.168.0.0 network. Any ideas
12-13-2007 07:25 AM
Now I can access all my network resources. Windows Firewall was blocking. Sorry. I also had the subnet mask for allowing access to my 10.8 network. I am going to have to wait on reports from the field if they are continuing to drop.
12-14-2007 03:13 AM
add the non 192.168.0.0 networks in the following lines like
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 object-group PDClient
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.0.0 object-group PDClient
access-list PDClient_Split permit ip 192.168.0.0 255.255.0.0 object-group PDClient
access-list PDClient_Split permit ip 192.168.1.0 255.255.0.0 object-group PDClient
12-14-2007 05:45 AM
I added the group of PDVCSO to the permit. It is working. I am waiting on my field officers to report back to me. I will let you know the outcome. What difference does should it make forcing all traffic like my original config compaired to only the selected traffic when I am forcing everything through the Proxy server?
12-14-2007 07:27 AM
Your remote clients go to internet through the VPN tunnel to into your web filtering St.Bernard? In this case my solution wont work, I think I confused with another question, above solution is for VPDN clients that lose local network connectivity. I apologize
I assume what you are talking about is "Error 433" and "Error 412 remote peer no longer responding" in VPN clientside that I encountered in another project of mine. I thought this was about idle-timeout and added the following
group-policy policynamehere attributes
vpn-idle-timeout 10080
10080 minutes, pretty good, but no, this is not the issue (I hope you solve yours with just setting the timeout value above). Clients were having trouble with their local net, short disconnects or leakages in internet connectivity, and they were getting disconnected.
First solution that I ve came up with was "Auto-initation".
That was OK, but when client disconnects, the error was popping up and auto initation would not function untill someone clicks ok to that error. After click OK, tunnel is up again in a few seconds. Maybe running VPN client fully in CLI mode prevent that pop up and that fixes your issue.
If you ask how did I ended up with the project, We asked Checkpoint to modify Secureclient for us to achieve what we want, and we deployed Checkpoint in the end. Cisco did not accept modifying their GUI software
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: