We've got a 3005 VPN concentrator and have successfully been using it for years for a bunch of split tunnels, both LAN-to-LAN and remote user. Now I have need of a non-split tunnel for a remote user, so I set up a new group that is the same as our existing group except that under "Client
Config" it is set to "Tunnel Everything" instead of "Only tunnel networks in the list".
I then set up a new user that is set to use this new group.
When I log in with this new group/user, I can still access the internal network at the site of the concentrator, but I can't
reach the outside world. Well, interestingly, I can ping the outside world but I can't do
% ping www.google.com
PING www.l.google.com (22.214.171.124): 56 data bytes
64 bytes from 126.96.36.199: icmp_seq=0 ttl=55 time=1142.598 ms
64 bytes from 188.8.131.52: icmp_seq=1 ttl=55 time=1573.098 ms
% telnet www.google.com 80
telnet: connect to address 184.108.40.206: Operation timed out
To try and resolve this problem, I've tried a bunch of things, none of which have worked:
I thought maybe it was a problem with both groups using the same address pool, so I set up
a new pool just for this new group.
Although I didn't see any incoming packets being blocked, just in case, I allowed everything to
these addresses in our router:
! Permit incoming packets to non-split tunnel pool
permit ip any host xxx.51.157.100
permit ip any host xxx.51.157.101
No dice. I also thought perhaps the incoming packets to these addresses don't know where
they need to go (even though the fact that pings work would seem to say this isn't the
problem), so I set up static routes:
! Full (non-split) tunnel pool addresses route to VPN Concentrator
ip route xxx.51.157.100 255.255.255.255 xxx.51.157.25 155
ip route xxx.51.157.101 255.255.255.255 xxx.51.157.25 155
Finally, I thought maybe packet fragmentation could be at fault, so I set the maximum packet
size on the router to 1400:
ip tcp mss 1400
Oh, I should also include related logging. When I try connecting through the non-split
tunnel, the VPN Concentrator logs messages like the following:
1520959 09/28/2010 14:11:32.900 SEV=6 IPSEC/42 RPT=13179 220.127.116.11
Replay window failure (rcv'd 403, current 403) - discarding packet!
1520960 09/28/2010 14:11:32.910 SEV=6 IPSEC/42 RPT=13180 18.104.22.168
Replay window failure (rcv'd 405, current 405) - discarding packet!
1520961 09/28/2010 14:11:34.800 SEV=6 IPSEC/42 RPT=13181 22.214.171.124
Replay window failure (rcv'd 446, current 446) - discarding packet!
I also tried changing the behavior of the various filters from "Drop" to "Drop and Log' but that
didn't seem to result in any extra logging. I suspect those filters are not actually being used.
This was under
Configuration | Policy Management | Traffic Management | Filters
I've thought maybe I need to change some of the policy in
Configuration | Policy Management | Traffic Management | Rules
such as changing some from "Forward" to "Apply IPSec" though I'm weary of changing any global settings that might break the 99% of traffic (in split tunnels) that's working fine.
I don't have any firewalls enabled in the concentrator.
I'd welcome any ideas. Thanks...