Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3015 Client can "see" but not "touch" network services - need guidance

I have a 3015 in place, running version 3.6 and the 3.6 client on a Win2k machine. I am able to successfully connect and authenticate to the Windows Domain, and once connected can ping everything on my private network (even other private subnets and over WAN links.)

The problem is that I cannot actually access any services - I am getting all the appropriate IP settings from the DHCP server on the private network, but nslookup fails, I can't access any internal web servers and am unable to telnet or ssh to anything. It is acting like all ports have been shut off. I have tried this with the Integrated firewall on and off, but it makes no difference.

The filters and rules are still in the default state, but look like I should be allowed full access (the Private (Default) lists Any (In) and Any (Out) as its filters.) Also, I would have expected ICMP would have been blocked if everything was also restricted, so why can I ping and not http, etc...?

I am sure I am missing something fairly obvious - does anyone have some insight as to what I have overlooked?

Cisco Employee

Re: VPN 3015 Client can "see" but not "touch" network services -

How are you connecting, dialup or broadband (if so cable or PPPoE?).

Could you pls try to adjust the mtu to say 1400 with the setmtu utility that gets installed with the client. Normally these kind of issues are MTU related.

New Member

Re: VPN 3015 Client can "see" but not "touch" network services -

I have tested this over both dial-up and cable modem. Increasing the MTU to 1400 did not help. Should I go higher?

Cisco Employee

Re: VPN 3015 Client can "see" but not "touch" network services -

Actually you should try lower mtu (maybe go lower than 1400). Also are you behind any nat device or is the concentrator behind a nat device in which case, might try to also enable ipsec over udp or ipsec over tcp (you enable it on both conc and client). See:

CreatePlease login to create content