VPN Client not decrypting data

rmeans · ‎01-27-2010

I recently upgraded my remote vpn access from a VPN concentrator 3030 to an ASA 5540 (8.2.2). For the most part the upgrade completed without trouble. I have had a couple of instantances where remote users are able to connect but not pass traffic. The users are prompted for a username and password (xauth). Authentication passes, they are then prompted to accept (ok) the VPN message banner. No data passes at this point. From the ASA I can see data decrypting and encrypting. From the remote client, I can see data encrypting but no data encrypts.

any ideas?

rmeans · ‎01-27-2010

correction...from the VPN client data is encrypting. The ASA does not receive anything. From HQ, I can send ICMP and see the traffic encrypt but the vpnclient counters do not receive.

Yudong Wu · ‎01-27-2010

First of all, you need find out in which direction the traffic is dropping.

sending the traffic from HQ, then check encrypt/decrypt counts on both ASA and client to see which one is NOT incrementing.

sending the traffic from the client and check the count as well.

After you figureout the direction, check the following item.

1. routing

2. NAT 0

3. NAT-T

4. ACL blocking

santoshvijapur · ‎01-27-2010

I agree with Kevin,

most of the scenario it will be the routing issue ,

1)reverse routing from ASA deivice to BACKBONE switch or next hop . i

2)f you have redundat firewall between backbone switch to ASA . check access has been provied for the source subnet ( VPN pool subnet ) towards backbone servers ( ex)

pudawat · ‎01-28-2010

HI,

Packets are getting dropped somewhere in between.Is there any firewall blocking ESP packets?

try to enable "cry isakmp nat-t 20" on firewall

Regards,

Pradhuman