RDP/SSH not working when connected with vpn

Unanswered Question
Apr 19th, 2010


VPN users have started to complain that they cannot access any of there servers through RDP/SSH when they are connected with VPN.

When I check the logs i can see them connected but cannot see anything after that.

Any Ideas?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tahirs001 Mon, 04/19/2010 - 08:27


Yes they all have routes back to the vpn clients.

This fault has just recently started.

slmansfield Mon, 04/19/2010 - 08:35

The VPN clients are able to ping the servers and get a response?

Were there any other changes made that could have impacted this access, such as firewall or adding additional encapsulation?

tahirs001 Mon, 04/19/2010 - 08:44


We do not allow ping.

I have checked and not made any changes that would affect this. This is only happening to a handful of users.


Federico Coto F... Mon, 04/19/2010 - 08:53


Is this a VPN client connection using the Cisco IPsec VPN client?

What is the VPN headend (ASA, router, etc.)?

Normally, when you configure a VPN tunnel, all encrypted traffic is allowed to pass through (unless explicity blocked).

You mentioned that you cannot PING.

Can you test any other kind of traffic to see if the packets are reaching the servers?

Do you have split tunneling configured?

Are you bypassing NAT for the VPN traffic?

Is the VPN client getting an IP address assigned?


tahirs001 Mon, 04/19/2010 - 09:02

Hi Fredrico,

This is using Cisco VPN client, the headend is a ASA.

What other kind of traffic can i test?

Split Tunneling is not configured.

How would i know that the user is bypassing NAT?

IP address is getting assigned by DHCP and the DG is the IP address that it picks up.

(Sorry but kind of fairly new to ASA and security)



Federico Coto F... Mon, 04/19/2010 - 09:12

In theory you can send any IP traffic that the server would receive (for example, telnet, SSH or any other traffic).

If this is not an option, since you're sending all traffic through the tunnel (no split-tunneling), on the ASA you should have the following:

There should be a NAT0 rule with an ACL defining the traffic for VPN. (I assumed this is fine since other clients work).

One test:

Enable the command: management access-inside

on the ASA and try to PING that address from the VPN client.

Post the output of the following commands, when the tunnel is established:

sh cry isa sa det --> phase 1 information

sh cry ips sa --> phase 2 information


slmansfield Mon, 04/19/2010 - 09:40

You might also verify that you have NAT-traversal configured.

crypto isakmp nat-traversal 20


This Discussion