Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

strange problem -some VPN users no longer able to connect to inside network

Hi,

for months (if not years!) our users have been happily connecting over the VPN to our corporate HQ.

However, this morning, we encountered a strange problem that only seemed to affect a few users.

The users complained that they had got authenticated over the VPN ok but could not access anything inside our network.

Meanwhile though, other users were connected happily, as normal.

When I ran a "sh uauth" on the PIX515E firewall running 6.3(5) that we have, I could see the "working" users were authenticated with an IP address allocated correctly from our IP address pool.

The "problem" users were also showing as authenticated - however, instead of having an IP address from the pool, the IP address was still showing as their own public IP address.

There were plenty spare addresses in the address pool so there were definitely addresses available to be allocated.

For the problem users, if they checked their IP config, it appeared to them that they HAD got allocated an address from our pool - but, for some reason, the PIX did not seem to recognise that it had allocated an address to them - therefore, no traffic could be routed from our network to these particular users.

I carried out a reboot of the PIX and the problem was resolved.

Nothing had been changed on the PIX config and there didn't seem to be any pattern to the users affected (eg some were using their home broadband connection, some using 3G cards - meanwhile other users were connected without problem via the same methods)

Does anyone know any more about what this problem was and why it should suddenly have affected us?

Is there any other way to resolve it? i.e. something less drastic than a complete reboot?

Thanks.

2 REPLIES
Gold

Re: strange problem -some VPN users no longer able to connect to

It looks like NAT traversal issue

Try ond firewall following command:

PIX(config)# isakmp nat-traversal 20

M.

Hope that helps , rate if it does

New Member

Re: strange problem -some VPN users no longer able to connect to

Hi,

thanks for the help - I had also checked in case it was a NAT Traversal issue and this command was already in the PIX config when we experienced the problem.

I don't think this can be a configuration issue at all as things just suddenly stoppped working for some users, not others, and there had been no change to the config.

A reboot sorted it out - but the config before and after the reboot is exactly the same.

Its a very strange issue!

90
Views
2
Helpful
2
Replies
CreatePlease login to create content