laptop unreachable when directly connected to Cisco kit

Unanswered Question
Apr 22nd, 2009


when i patch my XP laptop (with a Cisco VPN client installed) into any Cisco device i can ping the Cisco device from my laptop but cannot ping the laptop from the Cisco device.

i noticed this when trying to update the ios on a catalyst 6500 - couldn't use the tftp server on the directly connected laptop.

got round this eventually by disabling the Cisco VPN service on the XP laptop - then i can ping the Cisco device form the laptop and vice versa. tested this with various Cisco VPN clients and platforms and the results are the same.

done a packet capture on the laptop when pinging from the Cisco device and it shows nothing until i disable the Cisco VPN service on the laptop - the packet capture then shows a packet from the Cisco device to the Cisco CDP multicast address 01-00-0C-CC-CC-CC and then the laptop starts replying to the echo requests.

i now know how to 'resolve' this but can anyone tell me what is actually happening when i have the VPN client service enabled.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
NickNac79 Wed, 04/22/2009 - 02:35

Hi Andy,

This is by design. When a VPN tunnel is up all access to the LAN from the client is disabled for security purposes.

This can be disabled, but it has to be permitted from the VPN host (e.g. the ASA that the client is connecting to)


andrewswanson Wed, 04/22/2009 - 02:43

thanks nick - i'm not using the VPN client when this happens - don't have any tunnels up. the VPN XP 'service' is running though which seems to be have causing the problem.



NickNac79 Wed, 04/22/2009 - 03:34

Hmm, that's odd then.

Is your windows firewall switched on with exceptions for ICMP, or switched off altogether?

I believe the VPN client will force the firewall on when started, so if you normally have the Windows firewall off, then the VPN client will re-enable it in its default mode, which doesn't allow incoming ICMP.


glen.grant Wed, 04/22/2009 - 04:31

Sounds like windows firewall or whatever FW software it may be running . Needs to be off to ping ,FW block ping by design.

andrewswanson Wed, 04/22/2009 - 05:02

thanks for the replies guys - only windows firewall running - disabled this as part of test and problem persisted (until the VPN service was disabled)- tried another laptop and got same problem.

problem only occurs between Cisco kit and directly connected laptop - just tested this just now:

i've got my laptop patched into a catalyst 2950 which connects into a 4507. with the VPN service enabled on the laptop - i can ping the laptop from the 4507 but not from the 2950. as soon as i disable the VPN service on the laptop, the ping from the 2950 works.




This Discussion