VPN Client not decrypting data

Unanswered Question
Jan 27th, 2010
User Badges:

I recently upgraded my remote vpn access from a VPN concentrator 3030 to an ASA 5540 (8.2.2).  For the most part the upgrade completed without trouble.  I have had a couple of instantances where remote users are able to connect but not pass traffic.  The users are prompted for a username and password (xauth).  Authentication passes, they are then prompted to accept (ok) the VPN message banner.  No data passes at this point.  From the ASA I can see data decrypting and encrypting.  From the remote client, I can see data encrypting but no data encrypts.

any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rmeans Wed, 01/27/2010 - 10:39
User Badges:

correction...from the VPN client data is encrypting.  The ASA does not receive anything.  From HQ, I can send ICMP and see the traffic encrypt but the vpnclient counters do not receive.

Yudong Wu Wed, 01/27/2010 - 14:43
User Badges:
  • Gold, 750 points or more

First of all, you need find out in which direction the traffic is dropping.

sending the traffic from HQ, then check encrypt/decrypt counts on both ASA and client to see which one is NOT incrementing.

sending the traffic from the client and check the count as well.

After you figureout the direction, check the following item.

1. routing

2. NAT 0

3. NAT-T

4. ACL blocking

santoshvijapur Wed, 01/27/2010 - 23:56
User Badges:

I agree with Kevin,

most of the scenario it will be the routing issue ,

1)reverse routing from  ASA deivice to BACKBONE switch  or next hop  . i

2)f you have redundat firewall between  backbone switch to ASA . check access has been provied for the source subnet ( VPN pool subnet ) towards  backbone servers ( ex)

pudawat Thu, 01/28/2010 - 17:14
User Badges:


Packets are getting dropped somewhere in between.Is there any firewall blocking ESP packets?

try to enable "cry isakmp nat-t 20" on firewall




This Discussion