08-13-2008 12:57 AM - edited 03-09-2019 09:16 PM
Good morning,
I'm encoutering an interesting issue on two different CVPN boxes (Cisco VPN 3005 and 3020).
The thing is, when remote clients connect to the VPN gateway using their Cisco VPN client, then cannot reach any of my LAN hosts for about 60 seconds despite log-in procedure has ran fine.
Then, after about 60 seconds (sometimes less), connectivity to my network works well.
While they continuously ping one of my hosts, on the CVPN WebUI, session statistics show 0 in/out encrypted packets.
TCPDump at the back of the CVPN box shows no packets sent to my network (not even arp or whatever).
Is there any option I missed on my configuration to disable this annoying freeze time?
Thanks for helping if any of you has ever solved this.
Best regards,
Gaëtan
08-13-2008 06:40 AM
I'm not aware of any such setting to sort of put a delay() function on the clients :)
Try to put the desired Phase 1 profile on the top of the VPNC IKE proposals (Global). Phase 1 Parameters are always negotiated from the global proposals (Regardless of what you put in the Group >>> Ipsec Tab
Regards
Farrukh
08-13-2008 06:55 AM
Even if connection to the VPN gateway is established almost immediatly, do you really think phase 1 tuning might have an impact on this "delay"?
Because, during these 30~60 seconds, VPN Client is connected and IP address is given to the remote host.
08-13-2008 10:44 AM
NO Phase 1 is much before the IP assignment phase (which is part of mode config), but sometimes it takes a little time for the VPN statistics page to update. Does this happen on all clients?
Regards
Farrukh
08-13-2008 12:20 PM
Yes, it does and to different groups as well.
08-13-2008 12:26 PM
Could this be a WAN delay or excessive load on your 3005?
Regards
Farrukh
08-13-2008 12:30 PM
No chance.
Tested from two different ISP and got the issue on two different boxes (3305 & 3320).
Tried to reload the CVPN and upgrade to latest version without any result.
08-13-2008 06:46 PM
Ok thanks for the update.
Are you using split tunneling or local Lan access feature?
Regards
Farrukh
08-13-2008 09:57 PM
No split-tunneling. Everything's routed through the IPSec tunnel.
Regards,
Gaëtan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: