Remote Access VPN

Unanswered Question
May 10th, 2008
User Badges:

concentrator is connected with core switch and server 172.28.31.171(server) is also connected in core switch.


InterVLN routing is working fine. server and conncentrator is able to reach other via core switch.



concentrator private Ip address 172.28.31.92/248

VPN POOL: 172.28.31.128/248

Core switch Ip address is 172.28.31.91






Client is able to connect without any problem, but client not able to ping or connect with any network device.


In VPN session i can see bytes send and receive. My LAN-2-LAN tunnles are working fine without any problem.



No firewall involoved in the path between the concentrator and desired server 172.28.31.171.




Both connected on same switch but different VLAN. Inter VLAN routing is working and both are able to ping.




ONly remote access client 172.28.31.128/248 is not able to reach anywhere.






Core switch routing table


ip route 172.28.0.0 255.255.0.0 172.28.31.68

ip route 172.28.0.0 255.255.224.0 172.28.31.77

ip route 172.28.31.128 255.255.255.248 172.28.31.92

ip route 172.28.32.50 255.255.255.255 172.28.31.92

ip route 172.29.0.0 255.255.0.0 172.28.31.68






Concentrator routing table


172.28.31.160 255.255.255.224 via 172.28.31.91

172.28.92.0 255.255.255.0 via 172.28.31.91

172.29.0.0 255.255.0.0 via 172.28.31.91

192.168.0.0 255.255.0.0 via 172.28.31.91

172.28.31.170 255.255.255.255 via 172.28.31.91



Split tunnel is enable for


172.28.31.88/0.0.0.7

192.168.0.0/0.0.255.255

172.29.0.0/0.0.255.255

172.28.92.0/0.0.0.255

172.28.31.170/0.0.0.0

172.28.31.171/0.0.0.0





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Sat, 05/10/2008 - 19:24
User Badges:
  • Green, 3000 points or more

Hi, Im trying to dicypher your ip scheme and Im seeing something odd,


"ONly remote access client 172.28.31.128/248 is not able to reach anywhere."




you are using 172.28.31.128 for your vpn pool network with a 29bit mask, at least this is what your description entails , this network allows for a range of 8 addresses from 128 to 135, the 172.28.31.128 is the network addresss therefore it cannot be used for assigning it to any host, and 135 is broadcast address.


Jorge

wasiimcisco Sun, 05/11/2008 - 08:30
User Badges:

172.28.31.128/248 is the pool that is defined on the vpn concentrator, client Ip start from 172.28.31.129-172.28.31.133.


client gets the ip 172.28.31.129 and still not able to reach the internal network. my site to site vpn are working fine, only problem with remote access vpn.

JORGE RODRIGUEZ Sun, 05/11/2008 - 09:37
User Badges:
  • Green, 3000 points or more

On the concentrator in your vpn tunnel group for RA clients , under Client config tab do you have IPsec over UDP checked on, as well as IPec over udp port 1000, this is asuming clients are using default Ipsec over UDP port 1000 in their client settings.


You may also need to enable NAT-transparency under Tunneling Protocol\IPsec\NAT Transparency (Ipsec over NAT-T).

wasiimcisco Mon, 05/12/2008 - 04:28
User Badges:

my dear there is no firewall or NAT device between the client and server, it is simply conncentrator that is connected with switch, and server is also connected with that switch.



Actions

This Discussion