Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client drops session if MS ISA client is active

Hi, Everybody!

This is what we have:

W2k Workstations connect to our PIX 515 over the internet (Non-DSL connections ) with various versions (3.6-4.0) of Cisco VPN Client. WHILE being connected they need to use our internal MS ISA server. It's a key difference from a lot of questions posted here: they do not use ISA server to connect to PIX, they use it when they have already formed the tunnel with the PIX. So, as soon as they enable the ISA client, and try to use IE or outlook - VPN connection drops.

Any ideas?

Thanks in advance,

Gregory Philippov


Re: VPN Client drops session if MS ISA client is active

Is the VPN connection dropping only when the ISA client is enabled or is it happening for other connections also? Microsoft routing problems can occur when a VPN Client gets an IP address from the device terminating the tunnel (eg. PIX )that is on the same network as the local NIC card. In this case, the user cannot send any data over the client connection since the packets are sent to the NIC. Symptoms of this problem are that the VPN tunnel comes up, but the PC cannot pass traffic. I am not sure if you are running into this, however use the information in the doc to rule out this possibility.

New Member

Re: VPN Client drops session if MS ISA client is active

VPN is stable when ISA client is disabled. You can browse files on the server OK. As soon as you enable ISA client VPN connection starts braking apart. Plus Local NIC is NOT on the same network as PIX.

New Member

Re: VPN Client drops session if MS ISA client is active

Sothey are connected through the PIX for VPN and are trying to use the other connection of the ISA server to access resources? Try adding a route that the VPN connection can use. It would show in the conection.

The ISA client is Crap. We went down that path and found out MS doesnt even support. it. The only difference ISA client gives you is the ability to open and closed based on username. Go with a default gateway and do the firewall by IP, trust me its much easier.

Th reason why its dropping is the ISA Firewall client is acting as a default gateway to the ISA server and if your VPN connection is not going through the ISA then all outside connectivity is dropped.

We had started to load the ISA client on machines then realized it was more of a hassle then it was worth. I am able to pass the same traffic from a gateway based PC as I would a Client based PC. Don t believe that you cant utlilize the seconadry connections through a gateay on a PC.

To put it to you this way, you have 2 choices, IP Gateway or use the proxy feature for www access.

One more thing, what the clients are connecting to, is it a split tunnel? or non split. That could have a lot to do with it.

New Member

Re: VPN Client drops session if MS ISA client is active

Thank's for your response!

I'll try to clarify our setup a-bit :)

We have one FR channel to our ISP and several sales reps in other cities wired to the Internet. Thouse reps are supposed to work through the VPN tunnels in our main office LAN. But if the do, they do not have access to the internet and mail (mail server is not on our LAN). Since we do not whant to go with tunnel splitting, the only option we have left is an internal proxy for our remote people to use internet and mail.