Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1206
Views
0
Helpful
3
Replies

1 VPN Client - worked, then stopped working

linnea.wren
Level 1
Level 1

‎03-25-2010 05:06 PM

Hi All,

One person reports to me that he can no longer connect to the 5505 certificate based VPN.

I got him to send me his VPN client log file for 2 attempts, one with Connection Entry Property - Transport set to UDP, the other with it set to TCP.  (Both these settings work for multiple other people.)

In the log file for the UDP attempt I find a point where client sends

"ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)",

then client sends 3

"ISAKMP OAK MM (FRAG)"

After that, he just retransmits the 4 messages shown above, till he gives up.  Successful connection logged on another machine shows the client receiving an "ISAKMP packet", then 3 "ISAKMP OAK MM (FRAG)".

His log file for the attempt using TCP for the transport shows 4 TCP SYN packets sent from the client, but no SYN-ACK is received back by the client.

This happens when he attempts connecting from home, where his ISP is Comcast.

The same machine, on our enterprise unsecured wireless connects successfully.

So there must be an issue in his home network, or with Comcast.  Something that could conceivably have changed between Thursday and Friday last week...

Can anyone suggest what I might tell him to check for, or to ask Comcast about?

TIA, Linnea

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-27-2010 01:40 AM

If he never receives SYN-ACK back from the ASA, it sounds like the SYN packet doesn't even leave the home network/Comcast. It could very well be Comcast as I know someone who uses Comcast before and can't connect to VPN, but when he wireless into a different ISP, it works just fine.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Jennifer Halim

‎03-28-2010 03:19 PM

Linnea

If you suspect that Comcast might be interfering with the traffic it might be helpful to use the capture facility of the ASA to capture packets originating from the users IP address and being sent to the users IP address. Especially for the TCP attempt it would verify whether the ASA is seeing the sync request and is sending a response.

HTH

Rick

HTH

Rick
0 Helpful

Ayakosan1
Level 1
Level 1

‎04-03-2010 05:03 AM

Has your client recently changed any settings on his home router?  For instance, is either his firewall or his router blocking IPSEC, or PPTP?  He might of recently gotten either a new router, or a new firewall program which is blocking those protocols.  If so, then VPN won't work.

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents