Re: VPN Client to VPN 30005 Concentrator no traffic recived

stefan.kristiansson · ‎01-09-2003

Hi

Have the following problem.

Connection from the VPN client version3.6.3 to Concentrator 3005 ver 3.6.7 goes ok, but I can not pass any traffic throu the tunnel.

It seems like traffic only passes one way, counters in the client increases on the encrypt packets, and the decrypt packets remains at 0 .

I have tried thru a no NAT envirement also, and I still get the same problem.

Even tried over TCP port 10000, still the same problem

I think it has to do with a routing issue between the VPN 3005 and my inside router.

I'm using the client pool range 10.253.252.1 -10.253.252.254 (10.253.252.0 255.255.255.0)

private interface resides on 10.253.4.4 (10.253.4.0 255.255.255.0 network).

the client should use the router 10.253.4.1 as default gateway for the tunnels.

the 10.253.4.1 router has a static route that points back the 10.253.253.0 255.255.255.0 to VPN3005 10.253.4.4 .

My question do I need to make a routing entry on the VPN3005 itself ? for the 10.253.252.0 255.255.255.0 network or is it done automaticly when creating the pool ?

Or could the problem source be something else ?

Best Regards Stefan

tbukhari · ‎01-09-2003

Hi Stefan,

- In the above case, I am assuming the statement:

"the 10.253.4.1 router has a static route that points back the 10.253.253.0 255.255.255.0 to VPN3005 10.253.4.4 "

is a typo where the network you mean is 10.253.252.0/24.

- Assuming that you have the route on your router, do confirm that your VPN3K can ping the same host to which you are attempting from the client.

- Also, try pinging via IP address if you are just trying through some application, name resolution may be the issue as well.

- Another check is to make sure that either your Tunnel default gateway points to 10.253.4.1 or you have individual corporate network routes on your VPN3K pointing to 10.253.4.1

- As for your question, you do not need an entry in the VPN3K for the pool of addresses, since the VPN3K creates host routes upon client connection.

stefan.kristiansson · ‎01-09-2003

Hi

Thanks for your reply, yes I made a typing error it should be

"the 10.253.4.1 router has a static route that points back the 10.253.252.0 255.255.255.0 to VPN3005 10.253.4.4 "

I have tried to ping from the VPN3K and it works fine.

tunnel default gateway is set to 10.253.4.1(Have also tried static routes) .

I also tried pinging the same ip from the client still no success.

Still only traffic one way.

When I check the IPsec stats on the 3005, it seems to drop all Phase2 received packets. The IPSec(Phase2) stats below.

I'm almost out of ideas, Maybe the Ipsec Phase2 is not entirely estabished ?

/Best Regards Stefan

IPSec (Phase 2) Statistics Active Tunnels 0

Total Tunnels 10

Received Bytes 35712

Sent Bytes 0

Received Packets 558

Sent Packets 0

Received Packets Dropped 558

Received Packets Dropped (Anti-Replay) 0

Sent Packets Dropped 0

Inbound Authentications 558

Failed Inbound Authentications 0

Outbound Authentications 0

Failed Outbound Authentications 0

Decryptions 558

Failed Decryptions 0

Encryptions 0

Failed Encryptions 0

System Capability Failures 0

No-SA Failures 0

Protocol Use Failures 0

tbukhari · ‎01-09-2003

Hi Stefan,

- With regards to the ipsec pahse 2, it can be verified once a tunnel is established between vpn client and vpn3k. Goto "Administration | Administer Sessions" and click on the client connected client, this will show you detailed information. Here you should be able to see the byte RX as well as both IKE and IPSEC sessions.

- Are you sending any specific networks to vpn client to access behind vpn3k, confirm by clicking on the lock on client side, if not then try to ping the inside interface of vpn3k as well.

Rgds,

Tahir

stefan.kristiansson · ‎01-10-2003

Hi Tahir

Thanks for your help, I found the problem.

It was my mistake, there was a filter on the private interface that shouldn't be there. Now everything works as it should.

Once again thanks for you help.

/Best Regards Stefan