Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
2
Replies

some return traffic not going through vpn tunnel (although not all)

jagoe
Level 1
Level 1

‎12-15-2005 11:28 PM - edited ‎02-21-2020 02:09 PM

Very strange problem, my guess is a configuration error. Clients connecting to an 1841 with a VPN tunnel endpoint on its Dialer0 interface (ADSL WIC on an ISDN line) have no trouble accessing LAN resources (file shares, Exchange mailboxes via a MAPI client, ping, etc.). However, when configuring an IMAP connection on a remote VPN client, outgoing email would not send. The strange thing is that the port 143 traffic between the client and IMAP server flows properly.

It turns out that port 25 traffic correctly flows from the client to the SMTP server, but that return traffic from the server to the client does not flow back through the VPN tunnel. Instead it routes back out through the public IP address. Can anyone offer a suggestion? (And please feel free to comment on the config in general, i.e. unnecessary ACL entries, etc.)

The VPN address pool is 10.10.10.0/24. The LAN subnet is 10.0.0.0/24. Host 10.0.0.209 is the SMTP server. xxx.xxx.xxx.xxx is the public IP address on Dialer0. The packet trace follows and the config is attached as config.1821.cisco.forum.txt.

<snort trace>

12/16-07:14:47.757578 10.10.10.17:3753 -> 10.0.0.209:25

TCP TTL:128 TOS:0x0 ID:10758 IpLen:20 DgmLen:48 DF

******S* Seq: 0x65389798 Ack: 0x0 Win: 0x8000 TcpLen: 28

TCP Options (4) => MSS: 1260 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

12/16-07:14:47.845437 xxx.xxx.xxx.xxx:25 -> 10.10.10.17:3753

TCP TTL:127 TOS:0x0 ID:23397 IpLen:20 DgmLen:48 DF

***A**S* Seq: 0x4AE8EFC0 Ack: 0x65389799 Win: 0x44E8 TcpLen: 28

TCP Options (4) => MSS: 1452 NOP NOP SackOK

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

</snort trace>

Labels:
Preview file
11 KB
0 Helpful
2 Replies 2

smahbub
Level 6
Level 6

‎12-21-2005 12:08 PM

SDM can troubleshoot VPN connections that you have configured. SDM reports the success or failure of the connection tests, and when tests have failed, recommends actions that you can take to correct connection problems.

The following link provides information on VPN troubleshooting using the CLI.

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_2/rmc13/useguide/u13_rtrb.htm

0 Helpful

jagoe
Level 1
Level 1

‎02-02-2006 03:59 AM

The solution to this problem was posted to this forum on Feb 2, 2006, 3:55am PST. It has the title "solution: PAT interferes with VPN routing"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents