Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
5
Replies

Can't communicate with network until client is pinged from VPN concentrator

mikee4342
Level 1
Level 1

‎07-02-2002 10:53 AM - edited ‎02-21-2020 11:51 AM

We have Cisco 3005 VPN concentrator and the client is 3.5.2. We are seeing a strange issue where we can get authenticated just fine, but no data flows through the tunnel until we ping the client's assigned IP address from the concentrator. Has anyone seen this before?

Labels:
0 Helpful
5 Replies 5

edadios
Cisco Employee
Cisco Employee

‎07-02-2002 10:08 PM

No.

There must be some sort of routing issue. Can the client at least ping the private interface of the concentrator when connected?

Is it a software or hardware client?

Have a look at the routing information on the concentrator once the client is connected and could not pass traffic, and compare it when the client is passing traffic.

Regards,

0 Helpful

mikee4342
Level 1
Level 1
In response to edadios

‎07-03-2002 01:18 PM

Thanks for the message.

We cannot ping the private interface until we ping out from the 3005 to correct the situation. This is a software client and the routing information remains the same regardless of whether it is working or not. This is looking more like an ARP situation.

Mikee

0 Helpful

marcus.kellman
Level 1
Level 1

‎07-03-2002 04:49 AM

Hi I have had the same problem, We had a pix firewall in the network aswell, What happened was the pix kept picking up the packet dest for the Concentrator, it all came down to ARP, we add static ARP entries into our router and it worked ok. But still not sure as to why the pix was doing this!!

Hope this helps

Regards

0 Helpful

mikee4342
Level 1
Level 1
In response to marcus.kellman

‎07-03-2002 02:05 PM

You hit it right on the head. It is an ARP issue (I checked the router ARP table). Do you know the syntax for adding an ARP entry to the router? I can't seem to find it on-line

Thanks!!!

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to mikee4342

‎07-03-2002 03:52 PM

Actually, what you have to do is to disable proxy arp on the pix interface where the private of the concentrator is connected.

sysopt noproxyarp 'ifname'.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/s.htm#xtocid22

That should fix the arp issue.

Regards,

0 Helpful
Customers Also Viewed These Support Documents