VPN Traffic Issue

Answered Question
Sep 24th, 2010

Okay this happens to be the weirdest thing I've seen. Here is the setup. I have a Pix 515e firewall. I have VPN setup on it  so my users can connect remotely from across the country.

I have one set of users who can't connect. Let me clarify. The VPN client connects, they are given a IP by the firewall, but they can't send traffic over the tunnel. I've tried pinging everything from the inside interface of the firewall to servers behind it and nothing. Now the set of users that aren't working all exist in the same location, running on the same network, and behind their own firewall. And they were working up until a week ago. Their provider says he hasn't changed anything on his firewall and I know I haven't changed anything on mine. So any help would be greatly appreciated.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 3 months ago

Pls turn on nat-traversal on your PIX firewall:

crypto isakmp nat-traversal

That would encapsulate the ESP in UDP/4500. It looks like it fails due to that behind NAT device at that particular location.

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Fri, 09/24/2010 - 13:50

Mike,

Check if client is encapsulating traffic. If it is and you're not seeing decaps on PIX....

Do a sniffer trace on PIX and client.

If you see ESP or udp/4500 packets leaving towards PIX but not arriving on the PIX voila. Something is dropping them on the way.

Marcin

mikewillis Tue, 09/28/2010 - 14:11

Without even doing any sniffing I see that packets are being bypassed for some reason. Everything appears right. I've reinstalled the VPN client software, redid the connection entry, and still nothing.

Again and whats weird is that other VPN clients are working. Just not any from this particular location. Is there anything in particular I should be looking for when I ask the IT department that controls the firewall on this location. (And it was working a few weeks ago).

Correct Answer
Jennifer Halim Tue, 09/28/2010 - 19:30

Pls turn on nat-traversal on your PIX firewall:

crypto isakmp nat-traversal

That would encapsulate the ESP in UDP/4500. It looks like it fails due to that behind NAT device at that particular location.

Hope that helps.

Actions

This Discussion