VPN 3015 - Public Interface Change Causes Cisco Client Problems
I am trying to move my public interface connection from one ISP to another. Circuits, routers, connectivity is all tested out and working fine. I think all I have to change on the concentrator is the IP address of the interface and the default gateway. When I do this and move my public interface to the new ISP I am having a problem with Cisco VPN Client connections (IPSec). They will connect and authenticate, but it appears I have no routing. I can't get ping replies, dns queries, or any other connectivity to my private networks. Traceroute shows nothing. Strange thing is that the standard Windows VPN client software (PPTP) is having no such problems. All my private networks respond as expected. My problem is only with the Cisco VPN client. Log file shows connection and authentication. The concentrator has no apparent problems and provides ping replies to internal and external hosts. Any suggestions on how to troubleshoot this mess?
Could be the new ISP is filtering the ESP traffic, or you're going through a NAt device somewhere. Try connecting with UDP or TCP encapsulation enabled and see if that works.
If not, connect up a client, then on the concentrator go to Monitoring - Sessions and find the session for this user. Ping from the client and check if the RX Bytes go up on the concentrator for this session. If so, then you're receiving the encrypted packets from the client OK. Also check if the TX Bytes go up, if so then you're replying to the encrypted packets OK. Then check the stats on the VPn client and see if the received bytes on it go up, if so then you're receiving the encrypted replies from the concentrator OK.
This will at least help you pinpoint where the problem lies. Check with the new ISP and make sure they're not filtering any packets, they sometimes do.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...