Only single IP can connect to resources behind VPN

Unanswered Question

Clients from a small remote office are connecting to a VPN provided by a PIX 515 using Cisco VPN Clients.


The users are locked down to accesing a single machine behind the VPN.  This has been working for years.  Monday users at the remote office reported that only one user could access the server.  After troubleshooting it was determined that only one IP from the remote office can connect.  Not only 1 ip at a time, but a single IP.  If another user at the office puts that IP on his computer he can now access the server behind the VPN.


All clients connect ok, but for some reason only this IP can traverse the VPN.


During debugging show ipsec is showing the users that are not working are having problem decrypting packets


  #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0


Any thoughts?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edadios Thu, 06/10/2010 - 20:06
User Badges:
  • Silver, 250 points or more

Can you provide the show ipsec statistics of both the client and the pix.


If the client show encrypt, and no decrypt, and if the pix do not show both encrypt and decrypt, and the connection is native ipsec (not using nat transparency), then it is likely that esp (protocol 50) is being filtered for the specific problem ip addreses.


Regards,

Actions

This Discussion