Traffic not returning to remote VPN connections

Unanswered Question

I've successfully setup remote VPN connections to my ASA using vpnc as the client and everything behaves as expected. I'm trying to test the official Cisco client and I'm unable to make the same SSH connections across the VPN as I was using vpnc.

The ASA shows connections the IKE and IPSec connections forming, and shows connections being built for the SSH traffic across the VPN.

tcpdump shows the host listening on SSH behind the ASA receiving the traffic and sending ACKs in reply. They don't appear to be arriving back

at the remote client though, and SSH connections timeout without connecting.

Any idea what might be stopping the return traffic? I thought it might be some policy the ASA is pushing out to the Cisco client but not to vpnc but I can't spot anything obvious.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Mon, 05/26/2008 - 15:13

Is the internal SSH host you are connecting to sending ACKS (as you've stated), or SYN/ACKs?

It might be nice to know if the TCP three way handshake is being completed, and subsequent packets are the issue, or if it's the initial TCP setup that is the issue.

Perhaps there would be some benefit in confirming whether these packets are making it through the IPSec tunnel, though the ASA un-encapsulated, or not through the ASA at all.

You could use Wireshark to look for un-encapsulated packets exiting the ASA.

You could use Wireshark to capture the "pre-encapsulated" traffic being sent to the far side, and the "post-decapsulation" traffic returning from the far side, by capturing on the Cisco VPN Client virtual interface (Windows installation).

Perhaps examine IPSec SA details on the ASA and look for errors.

Perhaps logging on the internal interface ACL (log any packets denied) to identify whether the returning packets are being dropped.

Actions

This Discussion