One person reports to me that he can no longer connect to the 5505 certificate based VPN.
I got him to send me his VPN client log file for 2 attempts, one with Connection Entry Property - Transport set to UDP, the other with it set to TCP. (Both these settings work for multiple other people.)
In the log file for the UDP attempt I find a point where client sends
"ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT)",
then client sends 3
"ISAKMP OAK MM (FRAG)"
After that, he just retransmits the 4 messages shown above, till he gives up. Successful connection logged on another machine shows the client receiving an "ISAKMP packet", then 3 "ISAKMP OAK MM (FRAG)".
His log file for the attempt using TCP for the transport shows 4 TCP SYN packets sent from the client, but no SYN-ACK is received back by the client.
This happens when he attempts connecting from home, where his ISP is Comcast.
The same machine, on our enterprise unsecured wireless connects successfully.
So there must be an issue in his home network, or with Comcast. Something that could conceivably have changed between Thursday and Friday last week...
Can anyone suggest what I might tell him to check for, or to ask Comcast about?
If he never receives SYN-ACK back from the ASA, it sounds like the SYN packet doesn't even leave the home network/Comcast. It could very well be Comcast as I know someone who uses Comcast before and can't connect to VPN, but when he wireless into a different ISP, it works just fine.
If you suspect that Comcast might be interfering with the traffic it might be helpful to use the capture facility of the ASA to capture packets originating from the users IP address and being sent to the users IP address. Especially for the TCP attempt it would verify whether the ASA is seeing the sync request and is sending a response.
Has your client recently changed any settings on his home router? For instance, is either his firewall or his router blocking IPSEC, or PPTP? He might of recently gotten either a new router, or a new firewall program which is blocking those protocols. If so, then VPN won't work.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...