REMOTE VPN PROBLEM

Answered Question
May 26th, 2008
User Badges:

My remote access vpn client is not able to connnect with internal network.


concentrator is connected with core switch and server 172.28.31.171(server) is also connected in core switch.


InterVLN routing is working fine. server and conncentrator is able to reach other via core switch.



concentrator private Ip address 172.28.31.92/248

VPN POOL: 172.28.31.128/29

Core switch Ip address is 172.28.31.91






Client is able to connect without any problem, but client not able to ping or connect with any network device.


In VPN session i can see bytes send and receive. My LAN-2-LAN tunnles are working fine without any problem.



No firewall involoved in the path between the concentrator and desired server 172.28.31.171.




Both connected on same switch but different VLAN. Inter VLAN routing is working and both are able to ping.




ONly remote access client 172.28.31.128/248 is not able to reach anywhere.






Core switch routing table


ip route 172.28.0.0 255.255.0.0 172.28.31.68

ip route 172.28.0.0 255.255.224.0 172.28.31.77

ip route 172.28.31.128 255.255.255.248 172.28.31.92

ip route 172.28.32.50 255.255.255.255 172.28.31.92

ip route 172.29.0.0 255.255.0.0 172.28.31.68






Concentrator routing table


172.28.0.0 255.255.0.0 via 172.28.31.91

172.29.0.0 255.255.0.0 via 172.28.31.91

192.168.0.0 255.255.0.0 via 172.28.31.91




Split tunnel is enable for


172.28.0.0/0.0.255.255

172.29.0.0/0.0.255.255

172.31.0.0/0.0.255.255

192.168.0.0/0.0.255.255



See the attachement which shows client connects successfully but only sending not receving anything. I have checked


with changing the mtu size and by enabling and disabling the NAT_T. But no success.








  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
wasiimcisco Mon, 05/26/2008 - 10:13
User Badges:

kindly see the attachement for routing table of concentrator. I dont think so there is routing issue, bcz all network devices are able to reach concentrator, and cocnentrator is able to reach the all network. 172.28.31.91 is switch in which concnetrator private interface is connected. both are able to reach each other, i have so many site to site vpn tunnels and they are working fine, only problem with remote access vpn.



wasiimcisco Mon, 05/26/2008 - 12:31
User Badges:

see the attachement for address pool.


172.28.31.128/29 and see the core switch routing table in which all network is connected.


ip route 172.28.31.128 255.255.255.248 172.28.31.92


it is sending all traffic for destination of 172.28.31.128/29 towards concentrator private interface 172.28.31.92



OK - all that looks, you still could have an issue, you have a route in the core for:-


ip route 172.28.0.0 255.255.224.0 172.28.31.77 - which covers the subnets you are using. I know you have a more specific route to point to the concentrator, rather than the device 172.28.31.92.


I would try testing with another un-used IP subnet...say 172.16.1.0/24 in the concentrator with a route in the core for:-



ip route 172.16.1.0 255.255.224.0 172.28.31.92


And see if the works?

wasiimcisco Mon, 05/26/2008 - 14:06
User Badges:

core switch routing


ip route 172.16.1.0 255.255.255.0 172.28.31.92



see the attachement for concentrator configuration for vpn pool, client connects gets the ip but still not able to reach anywhere.



Attachment: 
wasiimcisco Tue, 05/27/2008 - 02:34
User Badges:

problem solved, i changed the vpn pool 172.16.1.0/24 and enable the NAT-T and it is working fine, thanks for your continous support and help and being with me during this troublehsooting.


but i m still thinking about why it works after enabling NAT-T, though there is no firewall involved, no NAT device in the way of concentrator and client.


Please explain, if you know, anyway, once again thanks for your help.

Actions

This Discussion