UDP broadcast from IPSec VPN Client, not recieving the unicast UDP replies
Problems with UDP broadcast / response over Client VPN to PIX
Win2K client with Cisco VPN version 3.6.3
PIX 515-R running 6.2(2) w/ 3DES
Client connects, authenticates, and is assigned IP from pool
Client Win2K can Ping, use TCP (telnet, etc.), and get UDP unicast (DNS) but cannot seem to get a response from a UDP broadcast.
Outside interface: 22.214.171.124 (changed from the actual IP)
Inside network: 192.168.85.0 / 24
VPN Client IP pool: 192.0.2.1-255
Public IP (behind NAT firewall allowing all IPSec traffic): 126.96.36.199 (changed from the actual IP)
Real network behind far end: 192.168.18.0 / 24
IP assigned from VPN Pool: 192.0.2.1
Client connects, authenticates, and can access any ICMP, TCP, and UDP unicast requests. Fails in attempt to use anything that shifts to UDP broadcasts (netbios, and xdmcp Xwindows manager).
The main purpose of the tunnel is to provide a secure link for this Xwindows session.
What is being seen
A capture on the inside interface for anything to and from the 192.0.2.0 / 24 network (the VPN IP pool) shows a connection attempt.
The client with the assigned IP of 192.0.2.1 sends a UDP 177 packet to the broadcast of the 192.168.85.0 / 24 net. Four machines respond with who they are and current user load (information on responses from a hex dump of same traffic). The client, not receiving the responses tries 3 more times before giving up.
A capture on the outside interface for all traffic between the firewall and the client public peer IP gives the following. The 4 attempts from the client public IP at 188.8.131.52 destined to the firewall public IP at 184.108.40.206 are seen, but the 16 replies obviously were not encapsulated and sent back.
The reason this is truly baffling is that all other traffic is working and the access lists are permitting all traffic between the networks. There is not another tunnel on the firewall to get in the way.
Re: UDP broadcast from IPSec VPN Client, not recieving the unica
I'm wondering if the problem is that the servers are unable to initiate a "connection" to the VPN users (yes, I know this is UDP). I wondering if they are only able to response to requests from the VPN clients.
Could you try this test. VPN in, and then see if one of the servers is able to ping the VPN users (192.0.2.x).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :