VPN clients unable to make connect when behind IOS dynamic router

Unanswered Question
Feb 21st, 2009
User Badges:


I have a very strange problem... I have an 871 router behind a dynamic ISP. This router was setup for Lan-to-Lan tunnel with a static ASA. The tunnel works perfectly (obviously, traffic always has to be initiated from the IOS LAN).

The problem is that no user sitting behind the IOS router can now make Cisco VPN connections. This used to work but stopped working after the L2L tunnel was created.

The users can successfully make the Cisco VPN remote connection to its destination, but they can't pass traffic.

Can you please help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Sat, 02/21/2009 - 18:09
User Badges:
  • Cisco Employee,

Is nat-t (nat traversal/transparency) enabled on the vpn server?

insccisco Sat, 02/21/2009 - 18:22
User Badges:

I don't have access to VPN servers. My users all all sitting behind the IOS router which again has a dynamic ISP connection to the internet.

The users connect to many different offices using the Cisco VPN client software but now they can't use this vpn software at all because they can't pass traffic after the connection is established.

I have been doing some reading and I find that this could be the problem: after the users make the VPN connections to other devices, the communication gets established and the users are able to reach the other side, but the return traffic never gets back to the users because the IOS thinks it belongs to a L2L tunnel....

please help

Ivan Martinon Sat, 02/21/2009 - 21:59
User Badges:
  • Cisco Employee,

The only way the IOS would "think" it belongs to the lan to lan tunnel would be if the clients are connecting to the same location where the lan to lan terminates, in which case I don't se the reason why they should use the vpn client.

When there is no traffic going through the tunnel typically shows an issue with ESP packets not going through a nat environment which appears to be your case, you might really want to find out if NAT-T is enabled.

sdoremus33 Sat, 02/21/2009 - 21:59
User Badges:
  • Bronze, 100 points or more

Use this config if using Dyn Tunnel Group for default attributes for troubleshooting

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

insccisco Sat, 02/21/2009 - 22:55
User Badges:

the ASA does not let me type "tunnel-group DefaultL2LGroup type ipsec-l2l"

I get an error. When I do a "tunnel-group DefaultL2LGroup ?" I get the following:

5510(config)# tunnel-group DefaultL2LGroup ?

configure mode commands/options:

general-attributes Enter the general-attributes sub command mode

ipsec-attributes Enter the ipsec-attributes sub command mode

For the second command, "tunnel-group DefaultL2LGroup general-attributes" the ASA does let me in, but once in, there is no "authentication-server-group none" option. All the commands I can type in there are:

accounting-server-group Enter name of the accounting server group

default-group-policy Enter name of the default group policy

exit Exit from tunnel-group general attribute

configuration mode

help Help for tunnel group configuration commands

no Remove an attribute value pair

For your last commands that you want me to type,

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

Those are already in the configuration.

I have open a tac case and so far 4 or 5 engineers have seen this case and so far they can't figure it out. I still think it has to be something small.

please help


This Discussion