Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client can't pass traffic

VPN 4.x Client (IPSEC/UDP) can connect to an IOS router 12.4 and authenticate successfully but can't ping and telnet to devices.

This configuration was fully tested in a simulated environment and worked using actual ip addresses and devices to be deployed in production. The device was moved into production and now the VPN client cannot even contact the IOS VPN peer when using IPSEC/UDP, however they can connect and authenticate using only IPSEC but still cannot pass traffic.

I went back to the simulated environment and it works fine. I thought maybe MTU or NAT-T but can't seem to get it working.

Any ideas??

6 REPLIES
Hall of Fame Super Blue

Re: VPN client can't pass traffic

Hi

Is there a device between your client and the router that does PAT on the traffic. If so this might be the difference between your test setup and your prod one.

If this is the case you will need to enable NAT-T - have you already tried this ?

Jon

New Member

Re: VPN client can't pass traffic

In the lab I have the VPN client behind a Linksys router and it does work with IPSEC/UDP.

Hall of Fame Super Blue

Re: VPN client can't pass traffic

Is the linksys router doing port address translation. The symptom you describe in your prod environment is typical of a nat traversal issue ie you can connect but no traffic passes.

The other thing to check would be routing. Do the destination machines know how to get back to the VPN clients.

Jon

New Member

Re: VPN client can't pass traffic

I just put the Lab IOS router device on an Internet connection and from a VPN Client that was dialed up to another ISP I was able to connect and pass traffic. As soon as I try

the production router still no good. Any chance it is an ISP issue?

Thanks for your responses

Hall of Fame Super Blue

Re: VPN client can't pass traffic

It is unlikely to be the ISP as they don't usually block IPSEC traffic.

Do you see any IPSEC connection attempts on your prod router when you try and connect.

Could you send copy of both configs of lab and prod router if possible (minus any sensitive information).

Jon

New Member

Re: VPN client can't pass traffic

After some debugs it turns out that UDP port 4500 needed to opened.

132
Views
0
Helpful
6
Replies