Strange VPN behavior

Unanswered Question
Apr 2nd, 2008

The issue we are seeing is that when users come in via our VPN (PIX 515) they cannot reach one of our servers. They are able to access everything else on our network without any issues. Locally the server is reachable but if you try to come in through our VPN you just cannot reach it. I should state that this particular server is a bit of an anomally. We migrated onto a new ISP quite a while ago and due to the way that our developers wrote some code I had to leave the NAT statement on the PIX that points to our old ISPs IP address from the inside and outside interfaces. The NAT does not seem to be the issue because the server can be reached from our LAN without any issue using the old IP address. I have added the old network to the vpn pool under split tunneling as I thought that the remote users were going through the Internet to reach the site rather than through the VPN tunnelt. I have configured a static route on the router that faces our ISP direcing traffic to the PIX. The VPN is configured with a dynamic policy so I don't believe that there is a rule issue. As far as I can tell it should be working so I am just cheecking to see if anybody here might hae some advice or pointers. Any assistance would be greatly appreicated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sundar.palaniappan Wed, 04/02/2008 - 15:18

If the server is on the same subnet in which other hosts can be accessed via the VPN, could this be a MTU problem (because of IPSEC overhead) that's preventing the application functionality. If split tunnel policy is configured to allow ICMP to the server can the users at the remote site ping the server via the VPN connection?

matt_drmmer Thu, 04/03/2008 - 07:03

Thanks for the response, yes the server is on the same subnet as other hosts that can be reached. When remote users try to ping it they receive no replies so I don't believe that it is an MTU issue. I did some wireshark captures to see if they might show anything of usefulness and found that when connecting via the VPN, the server does not return any syn-ack packets after the client sends the original syn packet. I did the same capture while connected to the LAN and the server responds so I am thinking that the issue might be routing related on the server. I am going to see if the server can reach hosts that are connected via the VPN and do some captures on the PIX to see if I can figure out what the packets are doing. Thank you for the suggestion, I did not even think about that being a possibility.


This Discussion