Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
2
Replies

Missing return/inbound packets. ESP packets only. Why?

timothylsmith
Level 1
Level 1

‎12-20-2002 04:07 AM - edited ‎03-09-2019 01:28 AM

We have been doing some testing with Cisco 3015 concentrators and VPN 3.5 - 3.7 client software (Linux and Windows) and have observed the following issue.

When using a Linux VPN Cisco client (3.5-3.7) and pinging or nmaping a remote computer the ping or nmap will complete but you never see any return packets except esp packets. When running tcpdump or ethereal and looking at the packets you see the outbound traffic to the distant computer but when the packet is returned all you will see is the esp packet There appears to be some type of disconnect with either the network capture drivers or the Cisco vpn client.

When using a Windows platform the return packets are seen with most versions.

We have also observed that adding certain patches from Microsoft will cause this to break.

The question I have is has anyone else see this behavior, have a fix, or can point me in the right direction to get this resolved?

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎12-20-2002 08:56 PM

Not really sure what you're asking here. You're saying that the pings, etc over the tunnel are working OK, but trying to see these packets with ethereal or tcpdump, you see the original unencrypted packet going out, but you only see the encrypted packet coming back in?

Are you running tcpdump or ethereal on the same host that you're pinging from, the same host that has the VPN client on it? If so, I would say that all you're seeing is how ethereal, tcpdump, the VPN client and the IP stack on the machine itself fit in with each other. Tcpdump/ethereal are looking at the IP stack in that machine at a certain spot, and all you're seeing is that when packets are sent out, tcpdump/ethereal sees them BEFORE they get encrypted, and on the way in, tcpdump/ethereal sees them BEFORE they get decrypted.

With Windows versions, ethereal is looking at a different spot in the IP stack.

If you put a Sniffer on the same subnet as this box and capture the traffic, rather than on the box itself, you'll only see encrypted packets going out and coming back in.

Hope that helps. If I have the completely wrong understanding of what you're saying here, please elaborate further.

0 Helpful

timothylsmith
Level 1
Level 1
In response to gfullage

‎12-21-2002 07:03 AM

To be a little more discriptive.

We are running ethereal / tcpdump on the same machine we are doing nmap and ping from and are on a switched network.

We are trying to see the return unencrypted packets. When using windows and using ethereal we can see both the esp packet and the unencrypted return packet for the remote machine we nmaped or pinged. When we use linux we are unable to see any return packets of anything but the nmap and ping work. The problem we have is that we need to see the return packets to verify they are from the actual remote machine and not a firewall or other device. If you know a way to be able to get this working on the Linux side this would be helpful and

0 Helpful
Customers Also Viewed These Support Documents