Hello everyone. I have been searching for a few days for an answer to this issue, but didn't find anything close. I hope you guys can help.
My company has a VPN 3000 concentrator and our remote users use the Cisco VPN client to connect to our network. I have been experiencing an intermittent problem with several of my users. They are able to connect the VPN client, but but they are unable to access any network resources. When I log into the VPN manager and check the sessions, I see that their session is showing 0 "Bytes Tx". I am also unable to ping their address from inside the network.
This issue seems to happen to only a few different users, so I suspected that it was an issue with their client and reinstalled. I also checked their MTU to set it at 1300 (I read somewhere that this can resolve connectivity issues). I have not tried setting it lower than 1300.
Another similarity between the users is that they use a small ISP (usually a neighborhood T1 or other non-cable/dsl). Is there anything I can do from our side or from their client to resolve this issue, since the ISPs are very little help.
I saw same issue with user connection to a 3060 VPN Concentrator - the user had a PIX at home. I enabled IPSec over UDP on the VPN concentrator which fixed the problem. HTH.
You may have already checked the obvious of having the users disable local firewall software. The Windows firewall is usually an issue on this.
I had a similar situation with a few clients.
It is most likely, as we found, that the ISP's are using the same internal network addressing that you have. In which case, although the VPN connects to your external IP address, the workstation will not browse your network since it believes that the IP network it is requesting is already local to the workstation.
In these instances, we had no way to help them other than suggest they change ISP's if it was a possibility.
Do you have NAT-Traversal enabled? Try enabling that on your VPN box if you havent. Most probably this is the issue.
Thanks for all the suggestions everyone. I have been catching up from the holiday today, but am getting back to work on it. Expect another response from me with my results.
We havent solved the problem yet, but we took another Cisco 3000 and copied the configuration file from the broken one and it worked perfect. So it must be something with the hardware or the files system. We got this problem when we upgraded the firmware. I don't know if you can do a file system reset?
We have the exact same problem as you had, but we are shure it is not the client. Because if we put the user in another group (our radius tells the 3005 which group the user should be in) it works fine. So we are shure it is the concentrator.
We have also a new 3005, but we have other problem, we can't get conole access, so we can't configure. A problem to solve during weekend.
We solved the problem. Copy the config file then follow the instruction in this link:
And then put the config file back.
It worked for us.