VPN Client Questions - MAC

Unanswered Question
Jul 18th, 2010
User Badges:

I have a situation where I have a mix of MAC and Windows machines and they need connectivity back to my network via my ASA5510.  I've installed the VPN client on my Windows machines, v 5.0.x and on my MAC machines, v4.9.x.  My windows machines can connect and browse the network just fine, my MAC clients cannot.


My MAC clients are getting an IP address for the VPN network just fine, but i can't ping them.  I can ping my Windows machines just fine.


DId I miss a setting somewhere when configuring the MAC clients?


I'm lost.


Tom

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 07/18/2010 - 09:40
User Badges:
  • Cisco Employee,

Pls check if there is any personal firewall on the MAC machines that could potentially be blocking the inbound ping. Try to disable the firewall and test ping again.


Hope that helps.

tpennington Sun, 07/18/2010 - 10:01
User Badges:

Sorry, I left that part out.


No firewalls are enabled on the MAC, it's explicitly turned off and allowing all incoming connections.

tpennington Sun, 07/18/2010 - 10:03
User Badges:

BTW, from the MAC machine, I can't even ping myself, so now I'm really confused.


If I dis-connect from the VPN, everything works as expected, I can ping my own IP, etc...


If it matters, and I hope it doesn't, I'm connecting over a Wireless network.

Jennifer Halim Sun, 07/18/2010 - 10:08
User Badges:
  • Cisco Employee,

I assume that you are trying to ping the ip address assigned by the vpn from the vpn pool?

tpennington Sun, 07/18/2010 - 17:00
User Badges:

So here's what I found after a couple of hours of trouble shooting today.  Still not sure how to fix it though.


1.  When using the Cisco VPN on the MAC, I can connect just fine.

2.  When i run "netstat -rn" on the MAC, I see my new default route, but it doesn't take affect.


Why?  Here's the answer.


The network I'm on, is 192.168.1.0/24.  The VPN Network/IP that I get a remote IP Address from is 192.168.70.0/24.  The Remote Network I'm tring to browse is 192.168.1.0/24.  See the problem?


The MAC does not know how to route from a 192.168.1.0/24, thru a 192.168.71.0/24 to a 192.168.1.0/24 network.


On a Windows machine, this works okay, on the MAC, not so much.


How I finally figured it out was by issuing the following command:  "ping -S 192.168.71.50 192.168.1.20".  The "-S" tells ping to use the 192.168.71.50 as the source address to then ping 192.168.1.20.  But this is the only way I can get it to work.


I tried adding a "route" command on the MAC and point it towards the VPN interface as the destination, but that just confused the heck out of the MAC and gave me destination unreachable messages all over the place.


I found a Cisco Release Note and it actually stated this whole thing as a 'problem', but no fix.


So I guess for now, I'm SOL.


Tom

Jennifer Halim Mon, 07/19/2010 - 13:58
User Badges:
  • Cisco Employee,

Unfortunately you would need to change the home network from anything else but 192.168.1.0/24, otherwise, looks like MAC machine is trying to ARP for the ip address since it thinks that they are in the same subnet, and eventhough they are in the same subnet, but they are not meant to be in the same subnet hence causing the issue that you are experiencing, ie: it will ARP for it instead of route the packet, hence specifically configuring the static route will not work.

Actions

This Discussion