02-21-2009 05:25 PM
Guys,
I have a very strange problem... I have an 871 router behind a dynamic ISP. This router was setup for Lan-to-Lan tunnel with a static ASA. The tunnel works perfectly (obviously, traffic always has to be initiated from the IOS LAN).
The problem is that no user sitting behind the IOS router can now make Cisco VPN connections. This used to work but stopped working after the L2L tunnel was created.
The users can successfully make the Cisco VPN remote connection to its destination, but they can't pass traffic.
Can you please help?
02-21-2009 06:09 PM
Is nat-t (nat traversal/transparency) enabled on the vpn server?
02-21-2009 06:22 PM
I don't have access to VPN servers. My users all all sitting behind the IOS router which again has a dynamic ISP connection to the internet.
The users connect to many different offices using the Cisco VPN client software but now they can't use this vpn software at all because they can't pass traffic after the connection is established.
I have been doing some reading and I find that this could be the problem: after the users make the VPN connections to other devices, the communication gets established and the users are able to reach the other side, but the return traffic never gets back to the users because the IOS thinks it belongs to a L2L tunnel....
please help
02-21-2009 09:59 PM
The only way the IOS would "think" it belongs to the lan to lan tunnel would be if the clients are connecting to the same location where the lan to lan terminates, in which case I don't se the reason why they should use the vpn client.
When there is no traffic going through the tunnel typically shows an issue with ESP packets not going through a nat environment which appears to be your case, you might really want to find out if NAT-T is enabled.
02-21-2009 09:59 PM
Use this config if using Dyn Tunnel Group for default attributes for troubleshooting
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
02-21-2009 10:55 PM
the ASA does not let me type "tunnel-group DefaultL2LGroup type ipsec-l2l"
I get an error. When I do a "tunnel-group DefaultL2LGroup ?" I get the following:
5510(config)# tunnel-group DefaultL2LGroup ?
configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
For the second command, "tunnel-group DefaultL2LGroup general-attributes" the ASA does let me in, but once in, there is no "authentication-server-group none" option. All the commands I can type in there are:
accounting-server-group Enter name of the accounting server group
default-group-policy Enter name of the default group policy
exit Exit from tunnel-group general attribute
configuration mode
help Help for tunnel group configuration commands
no Remove an attribute value pair
For your last commands that you want me to type,
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
Those are already in the configuration.
I have open a tac case and so far 4 or 5 engineers have seen this case and so far they can't figure it out. I still think it has to be something small.
please help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide