Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client PC does not get assigned IP, can not communicate with LAN

We are using a Cisco PIX 506 running PIX Version 6.2(1)

We have installed Cisco Secure VPN Client 1.1 on a couple of laptops with same result.

When we connect to the internet and the vpn client session starts to access the local network, we get a request for username and password, the authentication works and the client is assigned an IP Address from the vpn-pool (you can see it on the client log and on the pix debug screens), but it all stops there.

The Client (laptop) does not recognize the new assigned IP address, therefore there is no IP route to the network and I can not ping anything via the VPN client. Using the ipconfig or the route print commands on the client reveal no new assigned address.

Here is the config of our PIX

solaintl(config)# show conf

: Saved

: Written by enable_15 at 10:26:51.753 UTC Wed Jun 26 2002

PIX Version 6.2(1)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ry.BJEjQAchWMHYi encrypted

passwd zEnA/ZabsT5E/MmK encrypted

hostname solaintl

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 80 permit ip 10.1.160.0 255.255.255.0 10.1.161.0 255.255.255.0

access-list 80 permit tcp 10.1.160.0 255.255.255.0 10.1.161.0 255.255.255.0

pager lines 24

logging on

interface ethernet0 10baset

interface ethernet1 10baset

mtu outside 1500

mtu inside 1500

ip address outside 12.105.233.236 255.255.255.240

ip address inside 10.1.160.3 255.255.248.0

ip audit info action alarm

ip audit attack action alarm

ip local pool vpn-pool 10.1.161.2-10.1.161.25

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 80

static (inside,outside) 12.105.233.236 10.1.160.3 netmask 255.255.255.255 0 0

static (inside,outside) 12.105.233.238 10.1.160.55 netmask 255.255.255.255 0 0

static (inside,outside) 12.105.233.237 10.1.160.51 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 12.105.233.225 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.1.160.54 sicxxxxxx timeout 5

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 10.1.160.54 sicxxxxxx timeout 5

aaa-server LOCAL protocol local

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host 10.1.160.54 sicxxxxxx timeout 5

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ (outside) host 10.1.160.54 sicxxxxxx timeout 5

aaa-server radius protocol tacacs+

aaa-server radius (outside) host 10.1.160.54 sicxxxxxx timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

no floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set strong-des esp-des esp-md5-hmac

crypto dynamic-map cisco 8 set transform-set strong-des

crypto map partner-map 8 ipsec-isakmp dynamic cisco

crypto map partner-map client configuration address initiate

crypto map partner-map client configuration address respond

crypto map partner-map client authentication partnerauth

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp client configuration address-pool local vpn-pool outside

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

vpngroup sola address-pool vpn-pool

vpngroup sola wins-server 10.1.160.51

vpngroup sola split-tunnel 80

vpngroup sola idle-time 1800

vpngroup sola password ********

telnet 10.1.160.0 255.255.248.0 inside

telnet timeout 10

ssh timeout 5

vpdn username administrator password ********

vpdn username corpvpn password ********

vpdn enable outside

terminal width 80

Cryptochecksum:fb73631ae7d85c5964500851c423839e

Here are the results of show crypto map and show crypto ipsec sa

solaintl(config)# show crypto map

Crypto Map: "partner-map" interfaces: { outside }

client configuration address initiate

client configuration address respond

client authentication partnerauth

Crypto Map "partner-map" 8 ipsec-isakmp

Dynamic map template tag: cisco

Crypto Map "partner-map" 10 ipsec-isakmp

Peer = 32.101.185.217

access-list dynacl16; 1 elements

access-list dynacl16 (3) permit ip host 12.105.233.236 host 10.1.161.2

(id=20) (refcnt=2) (hitcnt=0)

dynamic (created from dynamic map cisco/8)

Current peer: 32.101.185.217

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ strong-des, }

solaintl(config)# show crypto ipsec sa

interface: outside

Crypto map tag: partner-map, local addr. 12.105.233.236

local ident (addr/mask/prot/port): (12.105.233.236/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.1.161.2/255.255.255.255/0/0)

current_peer: 32.101.185.217

dynamic allocated peer ip: 10.1.161.2

PERMIT, flags={}

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest 3

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 12.105.233.236, remote crypto endpt.: 32.101.185.217

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 162a9f3b

inbound esp sas:

spi: 0x30ca868d(818579085)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: partner-map

sa timing: remaining key lifetime (k/sec): (4608000/27987)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x162a9f3b(371892027)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: partner-map

sa timing: remaining key lifetime (k/sec): (4607999/27951)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

Thank you for your help!

6 REPLIES
Silver

Re: VPN Client PC does not get assigned IP, can not communicate

The details of the client connection only show up on the log, not on the command ipconfig. So tthat is not an issue.

The configuration of the pix looks correct, and if the debugs on the client stop, then it tends to mean that the client has connected succesfully.

It would take about 2 pings, before you get success on a ping to the network behind the pix. the other issue is wether the pc's behind the pix has default gateway set to the inside of the pix.

you could also do debug icmp trace on the pix, and trace the ping from the client to see if it gets to the pix, and where it stops.

Otherwise, you might want to consider opening a case with Cisco TAC for the issue

New Member

Re: VPN Client PC does not get assigned IP, can not communicate

I have checked the configuration in your PIX as well as the debug information, the remote access VPN tunnel has been built up and the ip address has been assinged to the client.

There is three encryptions but no decryptions. That means there is routing issues in the client PC.

For The VPN client 1.1 or even 3.x, the ip address assinged from the VPN server will not showed up in the "IPCONFIG" command. from the Client debug, you will see the ip address has been assigned or not.

Sometimes, protocol IPSEC has been blocked will cause you same problem.

Because UDP 500 (ISAKMP) is not blocked, so you can pass authentication and get connection, but not pinging anything.

Use another dial up account from another ISP or directly plug a PC to the PIX outside interface and do a quick test, I think you might be able ping the inside net work.

New Member

Re: VPN Client PC does not get assigned IP, can not communicate

Thank you both for your help.

It is my first setup of VPN with Cisco Hardware/Software and only have done it with Microsoft products, that's why I kept looking for ipconfig and ip routes.

I have to say that all our servers have a gateway that point at the CISCO router managing our WAN; but now that you mention this, I will add a static route on the servers where we need access to send all trafic for 10.1.161.0 to the internal ip of the PIX... That might be an issue...

I will also try all that has been suggested.

icmp tracing

alternative isp and direct connection to the PIX

I will do all of this tomorrow (Thursday morning), Because dinner awaits!

Thank you!

New Member

Re: VPN Client PC does not get assigned IP, can not communicate

I have added static routes to our servers for 10.1.161.0 (the vpn-pool) but I may have a funamental routing problem at the pix and or the client... nothing pings nothing!

Inside or Outside, real IP or assigned IP...

Do you think mine is a problem outside the VPN settings?

Look at this session, I connected the client and then set to debug pings, but again, nothing pings nothing:

solaintl(config)# debug icmp trace

ICMP trace on

Warning: this may cause problems on busy networks

solaintl(config)# show crypto map

Crypto Map: "partner-map" interfaces: { outside }

client configuration address initiate

client configuration address respond

client authentication partnerauth

Crypto Map "partner-map" 8 ipsec-isakmp

Dynamic map template tag: cisco

Crypto Map "partner-map" 10 ipsec-isakmp

Peer = 129.37.43.148

access-list dynacl18; 1 elements

access-list dynacl18 (3) permit ip host 12.105.233.236 host 10.1.161.2

(id=24) (refcnt=2) (hitcnt=3)

dynamic (created from dynamic map cisco/8)

Current peer: 129.37.43.148

Security association lifetime: 4608000 kilobytes/28800 seconds

PFS (Y/N): N

Transform sets={ strong-des, }

solaintl(config)#

solaintl(config)# ping outside 10.1.161.2

10.1.161.2 NO response received -- 1000ms

10.1.161.2 NO response received -- 1000ms

10.1.161.2 NO response received -- 1000ms

solaintl(config)# ping inside 10.1.161.2

10.1.161.2 NO response received -- 1000ms

10.1.161.2 NO response received -- 1000ms

10.1.161.2 NO response received -- 1000ms

solaintl(config)# ping 10.1.161.2

10.1.161.2 NO response received -- 1000ms

10.1.161.2 NO response received -- 1000ms

10.1.161.2 NO response received -- 1000ms

solaintl(config)# ping 129.37.43.148

129.37.43.148 NO response received -- 1000ms

129.37.43.148 NO response received -- 1000ms

129.37.43.148 NO response received -- 1000ms

solaintl(config)# ping inside 12.105.233.236

12.105.233.236 NO response received -- 1000ms

12.105.233.236 NO response received -- 1000ms

12.105.233.236 NO response received -- 1000ms

solaintl(config)# ping outside 10.1.160.3

10.1.160.3 NO response received -- 1000ms

10.1.160.3 NO response received -- 1000ms

10.1.160.3 NO response received -- 1000ms

solaintl(config)#

BTW I have opened a case with CISCO. The Engineer is now researching the problem...

Thanks for your help!

New Member

Re: VPN Client PC does not get assigned IP, can not communicate

I noticed that you are running 6.2 try loading the new PDM 2.0. There is a built in wizard that will greatly reduce your time in trying to figure this out.

New Member

Re: VPN Client PC does not get assigned IP, can not communicate

Thank you!

We've learn a lot in the last 2 weeks! I was expecting to see the assigned IP address using IPConfig and that is not the case.

We also had errors on our configuration of the Cisco Secure VPN Client.

A Cisco Engineer walked us through the settings for the IP Subnet and Tunnel and it started working.

I will research PDM 2.0 to see if we can benefit from it!

Thanks Again!

117
Views
0
Helpful
6
Replies