01-27-2010 10:01 AM
I recently upgraded my remote vpn access from a VPN concentrator 3030 to an ASA 5540 (8.2.2). For the most part the upgrade completed without trouble. I have had a couple of instantances where remote users are able to connect but not pass traffic. The users are prompted for a username and password (xauth). Authentication passes, they are then prompted to accept (ok) the VPN message banner. No data passes at this point. From the ASA I can see data decrypting and encrypting. From the remote client, I can see data encrypting but no data encrypts.
any ideas?
01-27-2010 10:39 AM
correction...from the VPN client data is encrypting. The ASA does not receive anything. From HQ, I can send ICMP and see the traffic encrypt but the vpnclient counters do not receive.
01-27-2010 02:43 PM
First of all, you need find out in which direction the traffic is dropping.
sending the traffic from HQ, then check encrypt/decrypt counts on both ASA and client to see which one is NOT incrementing.
sending the traffic from the client and check the count as well.
After you figureout the direction, check the following item.
1. routing
2. NAT 0
3. NAT-T
4. ACL blocking
01-27-2010 11:56 PM
I agree with Kevin,
most of the scenario it will be the routing issue ,
1)reverse routing from ASA deivice to BACKBONE switch or next hop . i
2)f you have redundat firewall between backbone switch to ASA . check access has been provied for the source subnet ( VPN pool subnet ) towards backbone servers ( ex)
01-28-2010 05:14 PM
HI,
Packets are getting dropped somewhere in between.Is there any firewall blocking ESP packets?
try to enable "cry isakmp nat-t 20" on firewall
Regards,
Pradhuman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide