I have a VPN 3005 setup to allow the SSL client login. 2 weeks ago we started having trouble with Outlook. The SSL clients authenticate and establish the tunnel just fine. When they try to start Outlook they get a message stating that the server is unavailable. Looking at the Exchange log, it seems like the domain is being stripped before being passed to the domain controller. I tried turning the strip domain option off in the concentrator, but still had the same problem. The full VPN clients are working just fine. The issue only seems to affect the SSL client. Does anyone have any idea what the problem might be?
I think the problem you are facing is related to older version and this problem is fixed in version 4.0.3a or later. If the software version is fine then check if you have assigned ip addresses to assign the SSL Clients.
I am running version 4.7.2.J on the concentrator, which is a model 3005. I'm not sure what you mean about the ip addresses. The clients get assigned an address from a pool in the concentrator, and the there is no assignment in the user setup tab. Something else we found out, if the full client is installed, the SSL client works. If we remove the full client, it stops.
It appears that Kerberos UDP packets are getting lost on the way back to the workstation. I can see them leaving the server and going to the concentrator in a network trace, but the workstation is not seeing them. I followed the Microsoft link below to force Kerberos to use TCP, and can now connect just fine.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...