cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1228
Views
0
Helpful
8
Replies

SA540 Appliance question - IPSEC VPN - Split Tunnel

jeff.heyen
Level 1
Level 1

SA540 Configuring VPN (IPSEC) customer would like to be connected to VPN and be able to access the internet simultaneously. Removed existing policies then under Dynamic IP range selected split tunnel, applied and then recreated the policies. When the remote user attempted connection it timed out and never reached a login prompt. Reversed process and put setting back to full tunnel and it picks right back up. In the config guide the only place where split tunnel is mentioned in under SSL VPN section so wondering if this config is supported under IPSEC VPN?

8 Replies 8

Tom Watts
VIP Alumni
VIP Alumni

Hi Jeff, the IPsec VPN is very similar to the SSL VPN. In the sense, you are correct, you have to delete the existing VPN policy then modify the Dynamic IP Range section then rebuild the policy. To the best of my recollection this is the only requirement needed for it to work.

I am assuming you're using the Cisco VPN Client (5.x).  Here is a link to the SA500 VPN resources

http://www.cisco.com/en/US/products/ps9932/prod_technical_reference_list.html

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom,

Thanks, I was thinking so as I read that tip on one of the forums, but it didn't work. I did just that, deleted the IKE and VPN policy, switched the IP Range to split tunnel, recreated the policies. The user then go no response from the host. Yes we are using the 5.0 client as well.

Jeff

Jeff, please delete both policies again, modify to split tunnel, rebuild then reboot the router.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Will do the next time I get on it, though we rebooted the router as well following our last attempt with no joy

Thanks

Jeff

time to leave the office...............

Here's some food for thought

https://supportforums.cisco.com/thread/2168905

https://supportforums.cisco.com/thread/2162799

https://supportforums.cisco.com/thread/2135122

My experience with these boxes are using the 2.1.71 software and earlier. The latest firmware supported is the 2.2.0.7 firmware. If you're not using the 2.1.7.1 or the 2.2.0.7 you may consider doing this as well. Just remember if you're using the 2.2.0.7 firmware, you need to factory default reset the box and manual reconfigure.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Tom,

The very first thing I did was upgrade the firmware and reset to factory specs I will review your links and possibly hit the 'reset' button one more time for good measure.

Thanks,

Jeff

Tom,

Reviewed your links.......

#1: the only difference in teh steps I took is not recreating the user each time first. Otherwise the config an dprocess looks identical. However in my case I can connect over a full tunnel config, but not a split tunnel .......strange

#2: I used this one already to find the tunnel selection under the IP range.............saw this before I got on here.

#3: Similar as #1 but doesn't look like any resolution..............I'll try everything from the ground up one more time but am thinking I may have to call support.

Unless you or someone else has any other ideas, not too much you can do wrong on this setup though.......

Hi Jeff, that's pretty much my only point as well. There is not much to this at all. I have not used the 2.2.0.7 firmware, that's the only difference between you and anyone else I've talked to.

If you're having some problems it may not be a bad idea to try to revert to 2.1.7.1 and see if that makes a difference. I think it would be a fair statement if the 2.1.7.1 works perfectly well on the same config then the 2.2.0.7 is either not working correctly or perhaps a new configuration has been introduced I am not aware of.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: