cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
0
Helpful
8
Replies

RDP/SSH not working when connected with vpn

tahirs001
Level 1
Level 1

Hello,

VPN users have started to complain that they cannot access any of there servers through RDP/SSH when they are connected with VPN.

When I check the logs i can see them connected but cannot see anything after that.

Any Ideas?

Thanks

Tahir

8 Replies 8

slmansfield
Level 4
Level 4

Do your servers have a route to the VPN clients?

Hi,

Yes they all have routes back to the vpn clients.

This fault has just recently started.

The VPN clients are able to ping the servers and get a response?

Were there any other changes made that could have impacted this access, such as firewall or adding additional encapsulation?

Hi,

We do not allow ping.

I have checked and not made any changes that would affect this. This is only happening to a handful of users.

Thanks

Hi,

Is this a VPN client connection using the Cisco IPsec VPN client?

What is the VPN headend (ASA, router, etc.)?

Normally, when you configure a VPN tunnel, all encrypted traffic is allowed to pass through (unless explicity blocked).

You mentioned that you cannot PING.

Can you test any other kind of traffic to see if the packets are reaching the servers?

Do you have split tunneling configured?

Are you bypassing NAT for the VPN traffic?

Is the VPN client getting an IP address assigned?

Federico.

Hi Fredrico,

This is using Cisco VPN client, the headend is a ASA.

What other kind of traffic can i test?

Split Tunneling is not configured.

How would i know that the user is bypassing NAT?

IP address is getting assigned by DHCP and the DG is the IP address that it picks up.

(Sorry but kind of fairly new to ASA and security)

Thanks

Tahir

In theory you can send any IP traffic that the server would receive (for example, telnet, SSH or any other traffic).

If this is not an option, since you're sending all traffic through the tunnel (no split-tunneling), on the ASA you should have the following:

There should be a NAT0 rule with an ACL defining the traffic for VPN. (I assumed this is fine since other clients work).

One test:

Enable the command: management access-inside

on the ASA and try to PING that address from the VPN client.

Post the output of the following commands, when the tunnel is established:

sh cry isa sa det --> phase 1 information

sh cry ips sa --> phase 2 information

Federico.

You might also verify that you have NAT-traversal configured.

crypto isakmp nat-traversal 20

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: