Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco VPN client connects but no data

Hi,

I have been busy for days now trying to get the cisco VPN client to work. I administer a network with 8 pixes 7 501's and one 506E. They are all connected by site to site VPN's. For a few people I want the ability to access the 506E from home. I used to do this with PPTP but found that it was not secure enough and decided to switch to Cisco VPN client. I setup VPN client on the pix 506E using the PDM, installed the client on my laptop and made connection. The connection is fine, only I cannot get any data through the tunnel. No ping no RDP.

I tried about every option I could find, Switching back to PPTP gave connection again woth data. Does somebody have any tips?

Thanks in advance

Daniel

18 REPLIES

Re: Cisco VPN client connects but no data

Turn on logging the VPN client, it's pretty good about telling you what is wrong. Post the log file if it isn't obvious.

New Member

Re: Cisco VPN client connects but no data

Hi,

This is what my VPN log says, it's not obvious to me.

Cisco Systems VPN Client Version 4.6.00.0049

Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 2

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1 17:31:05.188 10/17/06 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

2 17:32:11.957 10/17/06 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

3 17:32:51.689 10/17/06 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: DeleteIpForwardEntry, error 87

Thank you!

Re: Cisco VPN client connects but no data

Please set all logging to high and post results. Thanks,

New Member

Re: Cisco VPN client connects but no data

Hi,

I found out half of the problem; the problem is not at the pix I am trying to reach but at the pix in my house here. When pasting the VPN log in google I found 2 other people with the same problem, the answer was to fixup protocol ESP-IKE. I can't fixup this protocol because then it gives me the warning that ISAKMP is active and when ISAKMP is active ESP can't be active. I think ISAKMP is active due to my Site to Site tunnels. So I hooked up my laptop directly to the modem and had a perfect VPN tunnel with the other pix through the VPN client. Do you have any ideas how i could configure my pix to use the ISAKMP and the ESP? Here I attach the log file on high, this is behind the PIX.

Thankx

New Member

Re: Cisco VPN client connects but no data

And here is the attachment

Re: Cisco VPN client connects but no data

Hello Daniel,

can you post the configuration of the PIX to which you are trying to connect with your VPN client ?

Regards,

GNT

New Member

Re: Cisco VPN client connects but no data

Here is the config of the pix I am conecting with. Again, if I don't connect through behind the PIX here the connection is fine.

Re: Cisco VPN client connects but no data

Hello,

thanks for the config. I am not sure what addresses you are using for your local pool 'Mardan', but make sure these addresses are not part of the network configured on your inside interface. Let's assume your inside interface has IP address 10.10.10.1/24, and your local pool Mardan is giving out addresses in the range 192.168.1.1-192.168.1.254. The configuration needs to look like this:

nat (inside) 0 access-list inside_outbound_nat0_acl

ip address inside 10.10.10.1 255.255.255.0

ip local pool Mardan 192.168.1.1-192.168.1.254

access-list 101 permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0

Since your IP addresses are not fully visible, can you check and see if your PIX is configured like the above ?

Regards,

GNT

New Member

Re: Cisco VPN client connects but no data

Hi,

Yes for security reasons I cannot post my full IP address. But yes I configured them differently my normal pool starts with 192 and my VPN pool with 172. Again switching to PPTP with the same pool active I have no trouble entering the network.

Thank you!

Daniel

Re: Cisco VPN client connects but no data

Try enabling NAT-T on the PIX.

isakmp nat-traversal [natkeepalive]

New Member

Re: Cisco VPN client connects but no data

Still no luck. Behind a zywall there was no problem.

New Member

Re: Cisco VPN client connects but no data

have you configured your nat 0 statements to disable translation to the IP pool being assigned to your VPN clients.

Something like this

ip local pool vpndhcp 172.16.1.15-172.16.1.20 mask 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any 172.16.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

I experienced a similar issue when I first configured my firewall to host client vpn connections.

New Member

Re: Cisco VPN client connects but no data

Yes I have those. They also should be in the config file I posted. Again the problem is not in the firewall I am trying to reach, but in the PIX I am behind who for some reason cannot use ISAKMP and ESP at the same time.

Thanks

Re: Cisco VPN client connects but no data

Hello Daniel,

try and configure split tunneling for your PIX as following:

access-list splitTunnelAcl_1 permit ip 10.10.10.0 255.255.255.0 any

vpngroup Mardan split-tunnel splitTunnelAcl_1

where 10.10.10.0 is the network your inside interface is configured on (you probably need to change this to reflect what you have actually configured on your inside interface)...

Regards,

GNT

New Member

Re: Cisco VPN client connects but no data

HI,

Don't want to sound ignorant, but before I try it, why would it help if I can make a good VPN connection without the PIX here and behind a diffirent firewall. The problem is that my pix doens't let part of the protocol through, the other pix works fine. And if I split the tunnel there I am not changing anything here.

Daniel

New Member

Re: Cisco VPN client connects but no data

I have seen the same problem..

Ensure that the follwoing is configured on your system.

1. isakmp nat-traversal.

Also ensure that UDP 4500 is open as well. The VPN client when passing through a NAT device here requires this port open as well as UDP 500 and ESP.

Is sysopt connection permit-ipsec configured as well?

New Member

Re: Cisco VPN client connects but no data

AAHHHH,

I don't know what those lines do exactly but all my Site to Site lan lines quit working. I had to take them out again and reload the pix, take some of them out another time to get the tunnels working again. But even setup with UDP 4500 and 500 (both configured static) and ESP open outside any to inside ANY the VPN client connected but no data transfer.

Thanks!

New Member

Re: Cisco VPN client connects but no data

Well I finally solved the problem searching on the internet, I post this answer here for the searchers after me. The clue is you have to put the sentence "sysopt connection permit-ipsec" in the firewall you are behind. Then put "isakmp nat-traversal 20" in the firewall you are trying to reach. Don't open any ports, it's not very logical to me, but for some reason this works.

Thanks for all your help

1861
Views
0
Helpful
18
Replies
CreatePlease to create content