SA 520W VPN problem with 192.168.1.x (WARNING: In order to ensure proper functionality, the router will ...)

Unanswered Question

I need help. I can find no documentation on this problem. I have a Microsoft Small Business Server which I have been running for some time. I have been using for the last 10 years the private IP space 192.168.1.x, with subnet mask 255.255.255.0. I have an Active Directory structure that is based on this address space with my default route for the network at 192.168.1.254. I recently purchase a CISCO SA 520W appliance. Every time I add a VPN user to the VPN User Database, I get a popup that states "WARNING: In order to ensure proper functionality, the router will need to change its IP address to 10.x.y.1 to avoid conflicts with the remote network. You will need to reboot all PCs and network devices connected to the router. If you have set static IP addresses on any device or if you are using port forwarding, you will need to update its IP address to new IP range to operation. Would you like to continue?" With a se;ection of "OK" or "Cancel". If I select "OK" the router resets and I can no longer get access to it, resulting in me setting it back to factory default and starting over.If I select "Cancel" at this point it does not add the user to the database. I have tried everything I can think of. If I use the default IP address or any other IP address space, as long as I don't use 192.168.1.x, it works fine. This seems to be some limit set by Cisco. Although I can't understand why as the IP space is a very common one in use. Is there any solution except for reconfiguring my DNS, and active directory.

Please respond understanding that I am a mid level capable network engineer, I have worked with CISCO in the past but mainly Enterprise level layer 2 and 3 switches. I am a netwok security person (CISSP) with medium network skill levels.

Thanks,

Rich K, CISSP

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Te-Kai Liu Sun, 03/14/2010 - 12:11

Please try the following and see if it will work around the issue you have.

Manually change the LAN IP of SA520W to 192.168.2.1.

Add all the QuickVPN users you have. You should not see any pop-up due to the LAN IP change above.

Change the router's LAN IP back to 192.168.1.1.

Since 192.168.1.x is one of the most popular subnet addresses, if QuickVPN users try to connect from this subnet and the router has the same subnet ip address, the tunnel will not be able to connect. Users will be stuck with "Verifying Network..."

No this is a deliberate design limitation. See my long response on this post. https://supportforums.cisco.com/message/3079409#3079409 It should explain more. This was April of this year.I did actually return the SA520W for this reason and other limited functionallity. I recieived an email and call from an engineer. They did promise to send me a new unit to try the newest firmware. That never materialized but I did get an email last week that they were still going to send it. I haven't recieved it to date. I am interested to see any changes they may have made.

Sorry,

Regards,

Rich Koch, CISSP

Wow - that's unfortunate. Hopefully you'll get something out of it for all of the wasted time.

I should have researched this more before I purchased. Silly me - thinking Cisco was the best...

I probably wasted 4-6 hours, if not more, trying to get their QuickVPN client to work. They finally blamed it on my ISP, who I spent plenty of time on the phone with as well. The funny thing that they couldn't explain though, was that it also would not work on my Spring 3G/4G data card. After this test, I wrote the whole thing off to a design flaw.

In the end, I went back and setup a M$ PPTP vpn for the time being, until I have time to figure out a better solution. I only have a couple of remote users anyhow.

Thanks for the response and good luck to you!

JW

Actions

This Discussion