Bytes sent 0 Bytes Received

Unanswered Question
Jul 24th, 2005

I’m a VPN rookie and my IT expertise is in development not networking. This is the first time I have tried to establish a connection.

I had no problem getting connected but there appears to be a routing problem on the return trip. I see that I am connected, and that I am sending, but can’t seem to receive anything.

I have done about everything I can think of but I am really stuck. I’ve shut down all my firewalls, verified that there is no port blocking from my ISP, and placed my machine in my wireless router’s DMZ. I’m using windows XP in conjunction with Cisco VPN client 4.0.3(A).

I really hope somebody can help, I am an independent contractor with a deliverable on Monday and tech support at the client is unreachable. Thanks in advance for the help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Richard Burts Sun, 07/24/2005 - 17:01

To clarify a few things: you say that you are getting connected. Am I correct to assume that you initiate the connection, that you get prompted for userID and password, that you successuflly get authenticated?

Would I also assume that the VPN connection assigns you an IP address? If you are in the DMZ of the wireless router, does the wireless router know how to route packets to/from your assigned address?

HTH

Rick

dansheridan Mon, 07/25/2005 - 07:50

Thanks for the response Rick.

I get a sucessfull authentification after login and password entry and no error messages in the logfile.

I see the route assignment where the VPN appears to be setting up the return route (I even tried manually removing my wireless assigned route and setting up a static route).

I think I see what you're getting at, even if I set up a static route from my wireless the VPN will only work if I I have a public IP. Is there any way I can make this work with the router in the chain?

Also is there anything on the host side that requires registration like my MAC (or router MAC)? Could this be a server side problem?

Thanks!

-Dan

Richard Burts Mon, 07/25/2005 - 09:15

Dan

I can not think of anything that requires registration like your MAC or anything. There is certainly some possibility that it is a server side problem.

It might be helpful if you post the output of ipconfig (or equivalent command depending on your OS) and also perhaps a route print.

When you run the VPN what connectivity do you have? Can you ping your default gateway? Can you ping the VPN server?

I am not sure that I understand your comment about being in the wireless router DMZ. Does your wireless router have an outside, an inside, and a DMZ? Or is it just outside and inside/DMZ?

HTH

Rick

dansheridan Mon, 07/25/2005 - 14:36

before..

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 80 c8 18 2e c5 ...... D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport

0x10004 ...00 0b cd 18 44 23 ...... National Semiconductor Corp. DP83815/816 10/100 MacPhyter PCI Adapter - Packet Scheduler Miniport

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 25

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 25

192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 25

192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 25

224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 25

255.255.255.255 255.255.255.255 192.168.0.100 10004 1

255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1

Default Gateway: 192.168.0.1

Persistent Routes:

None

After:

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 80 c8 18 2e c5 ...... D-Link AirPlus DWL-650+ Wireless Cardbus Adapter - Packet Scheduler Miniport

0x10004 ...00 0b cd 18 44 23 ...... National Semiconductor Corp. DP83815/816 10/100 MacPhyter PCI Adapter - Packet Scheduler Miniport

0x10005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.2.1.154 10.2.1.154 1

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 26

10.2.1.0 255.255.255.0 10.2.1.154 10.2.1.154 10

10.2.1.154 255.255.255.255 127.0.0.1 127.0.0.1 10

10.255.255.255 255.255.255.255 10.2.1.154 10.2.1.154 10

66.123.251.119 255.255.255.255 192.168.0.1 192.168.0.100 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 25

192.168.0.0 255.255.255.0 10.2.1.154 10.2.1.154 1

192.168.0.1 255.255.255.255 192.168.0.100 192.168.0.100 1

192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 25

192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 25

224.0.0.0 240.0.0.0 10.2.1.154 10.2.1.154 10

224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 25

255.255.255.255 255.255.255.255 10.2.1.154 10.2.1.154 1

255.255.255.255 255.255.255.255 192.168.0.100 10004 1

255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1

Default Gateway: 10.2.1.154

Persistent Routes:

None

continued due to post size limits...

dansheridan Mon, 07/25/2005 - 14:37

Windows IP Configuration

Host Name . . . . . . . . . . . . : CPQ56574797792

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection 2:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : D-Link AirPlus DWL-650+ Wireless Cardbus Adapter

Physical Address. . . . . . . . . : 00-80-C8-18-2E-C5

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Monday, July 25, 2005 6:02:21 PM

Lease Expires . . . . . . . . . . : Monday, August 01, 2005 6:02:21 PM

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : National Semiconductor Corp. DP83815/816 10/100 MacPhyter PCI Adapter

Physical Address. . . . . . . . . : 00-0B-CD-18-44-23

On the ping question:

I can ping the destination VPN client and receive a response.

I can’t ping my default gateway.

On the router, I’m just using a Dlink behind a cable modem. I can place my computer in the Router DMZ through the Dlink admin utility but since I’m connected via a wireless card I assume it’s still handling the routing.

Thanks Again!

Richard Burts Mon, 07/25/2005 - 18:41

Dan

Thanks for the additional information. It looks pretty normal to me. The first route print shows a set of routes learned via the wireless. The second route print shows the first set of routes and also shows another set of routes learned from the VPN. And the metric for the VPN learned routes is more favorable than the wireless routes. This is the same behavior that I see on my PC when I run the VPN client. So no particular solution here.

I do see that there is a route in the second route print that is not present in the first route print. And it does not point to 10.2.1.254 it points to the original address:

66.123.251.119 255.255.255.255 192.168.0.1 192.168.0.100 1

can you shed any light on what the 66.123.251.119 address would be?

I am trying to understand your comment about you can not ping your default gateway and you can ping the destination VPN client. Perhaps you could explain a bit about this. From your end it is PC to Dlink, to cable modem, to VPN server. So maybe it would help to know a bit about what the VPN server is (is it a PIX, a Cisco 30xx VPN concentrator, a router, something else? And do I understand that you are really trying to access from your VPN client to some other VPN client? If so what does that topology look like? Is that VPN client in the same address space that you are assigned (10.2.1.x)?

HTH

Rick

dansheridan Mon, 07/25/2005 - 20:04

Hey Rick,

That's their VPN server. Unfortunately I don't know anything about their server. So you have it right it's PC to Dlink to Cablemodem to their VPN server.

Do I have to specifically allow ESP and GRE protocols? I'm not doing any filtering and Comcast insists that it doesn't block any ports but, aside from a problem with the server, I can't see what else could be the problem.

Thanks again for your help, I becomeing convinced that it's a server sie issue.

Richard Burts Tue, 07/26/2005 - 04:30

Dan

Ultimately it may help to know a bit about what the VPN server is, but for now we will work other aspects of the question.

You mentioned possibly needing to permit GRE. I am not sure where GRE gets into this situation. Were you just speaking generally of tunneling protocols or is there really GRE in the mix here? And if so where? As for having to permit ESP if you are getting the user prompt and getting authenticated we can take that as a sign that ESP is getting through.

I would like to explore a little more the question of what you can access and what you can not. One of your posts mentioned that you can ping a VPN client - what is the address of the client that you can reach? That post also indicated that you can not ping the default gateway. Was the gateway address the 10.2.1.154, the 192.168.0.1, or some other address?

Can you help me understand better what does work and what does not work?

HTH

Rick

wybnormal Sun, 07/31/2005 - 16:42

I am jumping in late and it's probably fixed but I do not see the solution so let me toss out an observation. Just this week I rolled out a new VPN concentrator 3020 and had this exact symptom. I could send packets but zero packets were coming back. It ended up being the filter I had selected for the VPN. Under:

Configuration | User Management | Base Group

I had to change the filter under | general| from the VPN default to PRIVATE which is an "any/any" filter and my connection works. I'm still learning the fine points of the 3000 series so I can not explain why I had to change this, logically since I had used the VPN Firewall Filter for VPN client, you would have thought it would have worked. But, not so much.

Anyways.. it's just a thought since the symptoms matched my own perfectly.

Mike

Actions

Login or Register to take actions

This Discussion

Posted July 24, 2005 at 8:10 AM
Stats:
Replies:9 Avg. Rating:
Views:3561 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard