Cisco 877W randomly blocks connection with Cisco VPN client?

Unanswered Question
Oct 8th, 2009

Hi... I believe I'm in the right forum here, but please tell me if not!

We're a smallish business (software house), and use a Cisco 877W router for our main internet connection. We have plenty of customers who we support remotely with a variety of methods - VNC/PCAnywhere/RDP/etc. One of our larger customers requires us to log into their corporate network using the Cisco VPN client. The problem we have is that it sometimes doesn't work - it gets as far as asking for a login - I can see 'Launch xAuth application' and 'xAuth Application Returned' in the logs - and then tries

SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xxx.xxx.xxx.xxx

but this then doesn't get a reply (when it's not working). No amount of restarting the router or playing about with access lists will get it working, but if I physically swap the router out for a different one (I've tried a Netgear DG834) then it always works fine. It seems that the 877W is either blocking that last outbound request, or is blocking the inbound response to it, but I can't see anything in the logs indicating an access-list is blocking it.

I could happily accept that it's a configuration issue, but it seems totally random - it will work fine for some weeks, but then will stop working for a few days. To give an example, it stopped working last Friday, and I spent all day yesterday (wednesday) trying different things with the configuration and nothing worked. This morning it's suddenly working again, but the router uptime is over 1 day, 12 hours, so it's not been reset in that time, and the config is definitely the same this morning as it was when it last didn't work yesterday afternoon.

It will generally work for longer than it won't - we'll have 3 weeks of it working fine followed by 4 or 5 days of it not working, but there doesn't seem to be a set pattern.

It would appear the problem is definitely our router because replacing it with a different make/model cures it. We also have a second ADSL line from the same ISP for testing (totally isolated from the main network), which has only 1 PC on it and a small "Zyxel" Modem/Router, and that never has this problem either.

IOS version 12.4(4)T3

DSL interface FW Version = 2.542

Cisco VPN Client Version = 5.0.05.0290 (but have the same problem with ver 5.0.00.0340)

We have VPN information in the config for a different customer's various sites, which work fine and have done for years, and we've used the VPN client for a different customer for some time without this problem as well.

I'm happy to post configs and the like, but I'd have to sanitize it to remove other customer info and the like of course.

Thanks for reading the Essay, and any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lgijssel Fri, 10/23/2009 - 01:47

Please check that the VPN uses UDP or TCP encapsulation to overcome the NAT boundaries.

The accepting firewall should allow this by configuring ip nat traversal.

If this is not enabled, the problem as described may occur. Hopefully, the url below is of value to you:

https://www.cisco.com/en/US/docs/ios/ipmobility/configuration/guide/imo_3519_nat_tr_ps6350_TSD_Products_Configuration_Guide_Chapter.html

playsafecisco Fri, 10/23/2009 - 02:51

Many thanks for your reply.

Surely if this was a configuration issue like you describe it would simply never work though - it wouldn't work most of the time and occasionally not work?

When it works, it works from any PC inside our LAN, and when it 'breaks' it won't work from any PC, and then will just right itself.

I looked at that link you supplied, and it appears to be more concerned with VPN connections which are negotiated and established by the router itself. Our router is not the device that is establishing the VPN tunnel, it is the Cisco VPN client software. That said, I had a little look at our router, and it doesn't seem to support any "ip mobile" commands at all. I'm not sure if it's simply not supported on this device, or if I'm missing a configuration step somewhere.

I also don't have any access to the configuration at the other end of the VPN - as far as they are concerned it works from our secondary broadband line, or if we simply swap out the router - so the problem is at our end, and they are not particularly helpful.

It's entirely possible I'm completely misunderstanding something, as I am most definitely not a cisco 'expert' by any means.

lgijssel Fri, 10/23/2009 - 04:35

The VPN client (your side) and the firewall it connect to have to agree on a transport mode.

Your router is in the way when transport without encapsulation is negotiated. It is typical that low-end devices have no problem with this because they use a different type of nat. (VPN passthrough)

With Cisco, it may be so that the first connection passes but subsequent attempts fail. Enabling UDP transport will resolve this issue. You need to configure this on the firewall where the VPN is terminated.

regards,

Leo

Actions

This Discussion