I am a novice at Cisco hardware and have been trying to troubleshoot our VPN issues for the last few weeks.
We had a vendor perform a vanilla install the following setup for our network:
- Cisco 2800 Perimeter Router
- Cisco ASA
- a clustered set of Cisco 3500 switches that were already in place, no Virtual networks, no ACL's.
- Win2K3 domain
- Exchange 2K3
We went with the SSL VPN and hardware token for our initial VPN setup. There are no rules setup on the VPN, end users have full access to the network (we plan to lock it down once we get things running smoothly).
When an end user connects through the VPN, the SSL VPN client installs and appears to be functioning correctly. However, some services are not available through the network, or sometimes work, sometimes do not.
For instance, I can access windows shares (though it takes a long time) and remote desktop into our servers. We also have an Enterprise application that uses SQL Server and functions correctly.
However, some applications do not work. Our Outlook clients do not see the Exchange server and some of our Enterprise applications that use SQL Server either do not work or take up to 5 minutes to open.
All of our systems work perfectly inside the perimeter network.
We have been left in the lurch by our vendor who installed our systems then bailed out when we asked them to help troubleshoot.
On our own, we found that if the Cisco ipsec client is installed, the SSL VPN works perfectly! All services are available and are very fast! This is the case even thought the ipsec client isn't running, in fact, its not even configured to run properly on the ASA.
We don't want to have to install the ipsec client on all our mobile systems so that is not an ideal solution.
Anyone with ideas about what might be at the root of our SSL VPN problems?
We have found out what the issue was and have a temporary fix until we can get to the root of the problem.
Seems that Kerberos UDP packets are getting blocked somewhere along the line. By changing a registry setting on the remote computer we can force Kerberos to transmit over TCP instead of UDP and this clears up all of our issues.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :