Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2339
Views
0
Helpful
3
Replies

VPN won't connect from some locations

Go to solution
lhite1234
Level 1
Level 1

‎03-07-2011 08:03 PM

i have a notebook computer running Cisco VPN Client v5 which connects to the office network fine from some locations, but not from other locations.  and at the locations where it won't connect, it will connect fine to another unrelated network.  by "won't connect" i mean that i can not access any of the resources on the office network -- the client software appears to work, but there's no access, i can't ping anything on the office network.  what would cause this?  here's the log file from a location where it won't connect to the office network:

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: E:\Cisco Systems VPN Client\

1      21:36:30.625  03/07/11  Sev=Warning/2    CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
    Destination    5.0.0.0
    Netmask    255.0.0.0
    Gateway    192.36.253.1
    Interface    192.36.253.179

2      21:36:30.625  03/07/11  Sev=Warning/2    CM/0xA3100024
Unable to add route. Network: 5000000, Netmask: ff000000, Interface: c024fdb3, Gateway: c024fd01.

in this particular case, the local network is using the 192.168.1.x IP range, so that shouldn't be an issue.

lee

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-07-2011 08:08 PM

It might be you are going through a PAT device, hence you are not able to access any of the resources after the VPN is connected because ESP packet typically won't pass through a PAT device.

What needs to be configured on the VPN server is to allow NAT-T (NAT Traversal), ie: encapsulation of the ESP packet into UDP or TCP packet, so it passes through PAT device just fine.

What VPN server do you have to terminate the VPN Client?

The command to enable it on ASA would be: crypto isakmp nat-traversal 20

Let me know if you have other devices as the VPN server.

Hope that helps.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-07-2011 08:08 PM

It might be you are going through a PAT device, hence you are not able to access any of the resources after the VPN is connected because ESP packet typically won't pass through a PAT device.

What needs to be configured on the VPN server is to allow NAT-T (NAT Traversal), ie: encapsulation of the ESP packet into UDP or TCP packet, so it passes through PAT device just fine.

What VPN server do you have to terminate the VPN Client?

The command to enable it on ASA would be: crypto isakmp nat-traversal 20

Let me know if you have other devices as the VPN server.

Hope that helps.

0 Helpful

Go to solution
lhite1234
Level 1
Level 1
In response to Jennifer Halim

‎03-08-2011 01:14 PM

thanks for the quick reply -- we're using a Cisco ASA 5505. i'll talk to the network admin about the config change and let you know.

0 Helpful

Go to solution
lhite1234
Level 1
Level 1
In response to Jennifer Halim

‎03-15-2011 08:49 PM

that config change did the trick -- thanks!

lee

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents