01-09-2003 04:21 AM - edited 02-21-2020 12:16 PM
Hi
Have the following problem.
Connection from the VPN client version3.6.3 to Concentrator 3005 ver 3.6.7 goes ok, but I can not pass any traffic throu the tunnel.
It seems like traffic only passes one way, counters in the client increases on the encrypt packets, and the decrypt packets remains at 0 .
I have tried thru a no NAT envirement also, and I still get the same problem.
Even tried over TCP port 10000, still the same problem
I think it has to do with a routing issue between the VPN 3005 and my inside router.
I'm using the client pool range 10.253.252.1 -10.253.252.254 (10.253.252.0 255.255.255.0)
private interface resides on 10.253.4.4 (10.253.4.0 255.255.255.0 network).
the client should use the router 10.253.4.1 as default gateway for the tunnels.
the 10.253.4.1 router has a static route that points back the 10.253.253.0 255.255.255.0 to VPN3005 10.253.4.4 .
My question do I need to make a routing entry on the VPN3005 itself ? for the 10.253.252.0 255.255.255.0 network or is it done automaticly when creating the pool ?
Or could the problem source be something else ?
Best Regards Stefan
01-09-2003 09:43 AM
Hi Stefan,
- In the above case, I am assuming the statement:
"the 10.253.4.1 router has a static route that points back the 10.253.253.0 255.255.255.0 to VPN3005 10.253.4.4 "
is a typo where the network you mean is 10.253.252.0/24.
- Assuming that you have the route on your router, do confirm that your VPN3K can ping the same host to which you are attempting from the client.
- Also, try pinging via IP address if you are just trying through some application, name resolution may be the issue as well.
- Another check is to make sure that either your Tunnel default gateway points to 10.253.4.1 or you have individual corporate network routes on your VPN3K pointing to 10.253.4.1
- As for your question, you do not need an entry in the VPN3K for the pool of addresses, since the VPN3K creates host routes upon client connection.
01-09-2003 01:02 PM
Hi
Thanks for your reply, yes I made a typing error it should be
"the 10.253.4.1 router has a static route that points back the 10.253.252.0 255.255.255.0 to VPN3005 10.253.4.4 "
I have tried to ping from the VPN3K and it works fine.
tunnel default gateway is set to 10.253.4.1(Have also tried static routes) .
I also tried pinging the same ip from the client still no success.
Still only traffic one way.
When I check the IPsec stats on the 3005, it seems to drop all Phase2 received packets. The IPSec(Phase2) stats below.
I'm almost out of ideas, Maybe the Ipsec Phase2 is not entirely estabished ?
/Best Regards Stefan
IPSec (Phase 2) Statistics Active Tunnels 0
Total Tunnels 10
Received Bytes 35712
Sent Bytes 0
Received Packets 558
Sent Packets 0
Received Packets Dropped 558
Received Packets Dropped (Anti-Replay) 0
Sent Packets Dropped 0
Inbound Authentications 558
Failed Inbound Authentications 0
Outbound Authentications 0
Failed Outbound Authentications 0
Decryptions 558
Failed Decryptions 0
Encryptions 0
Failed Encryptions 0
System Capability Failures 0
No-SA Failures 0
Protocol Use Failures 0
01-09-2003 05:11 PM
Hi Stefan,
- With regards to the ipsec pahse 2, it can be verified once a tunnel is established between vpn client and vpn3k. Goto "Administration | Administer Sessions" and click on the client connected client, this will show you detailed information. Here you should be able to see the byte RX as well as both IKE and IPSEC sessions.
- Are you sending any specific networks to vpn client to access behind vpn3k, confirm by clicking on the lock on client side, if not then try to ping the inside interface of vpn3k as well.
Rgds,
Tahir
01-10-2003 02:03 AM
Hi Tahir
Thanks for your help, I found the problem.
It was my mistake, there was a filter on the private interface that shouldn't be there. Now everything works as it should.
Once again thanks for you help.
/Best Regards Stefan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide