Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SA 540 and cisco vpn client issue

Hi,

We bought a cisco SA 540 for our office. After upgrading firmware to latest release, I created without problems SSL connections.

But now I would like to setup an ipsec connection for cisco vpn client.

I am able to connect from outside but I can not access office network.

Some network information.

office network : 192.168.10.x

as 540 ip address : 192.168.10.254

ssl dhcp pool : 192.168.10.200 -> 192.168.10.230 ( works )

ipsec dynamic ip range : 192.168.11.200 -> 192.168.11.240

I setup it using doc available on cisco web site.

When I connect with cisco vpn client, I receive an ip from ipsec pool and also dns server address.

Gateway is equal to ip address given by ipsec but I can not ping / access office servers.

What is wrong with my configuration ?

Regards,

Grégory Borysiak

10 REPLIES
Bronze

SA 540 and cisco vpn client issue

Hello Gregory,

Can you ping the default gateway? Can you ping the 192.168.10.254 address for the inside of your router?

If you can then it is a firewall setting on your clients, or perhaps both the client and the inside office network firewall settings that are blocking the traffic. This is not a hardware firewall but the Microsoft or 3rd party antivirus firewall blocking.

hope this helps.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

SA 540 and cisco vpn client issue

Hello Randy,

I can ping the default gateway given by the vpn client as below :

   Suffixe DNS propre à la connexion. . . :

   Description. . . . . . . . . . . . . . : Cisco Systems VPN Adapter for 64-bit

Windows

   Adresse physique . . . . . . . . . . . : 00-05-9A-3C-78-00

   DHCP activé. . . . . . . . . . . . . . : Non

   Configuration automatique activée. . . : Oui

   Adresse IPv6 de liaison locale. . . . .: fe80::d5ba:2ca2:9e1e:6619%29(préféré

)

   Adresse IPv4. . . . . . . . . . . . . .: 192.168.11.200(préféré)

   Masque de sous-réseau. . . . . . . . . : 255.255.255.0

   Passerelle par défaut. . . . . . . . . : 192.168.11.1

   IAID DHCPv6 . . . . . . . . . . . : 486540698

   DUID de client DHCPv6. . . . . . . . : 00-01-00-01-16-BB-51-DD-5C-26-0A-20-9A

-92

   Serveurs DNS. . .  . . . . . . . . . . : 192.168.10.20

   Serveur WINS principal . . . . . . . . : 192.168.10.20

   NetBIOS sur Tcpip. . . . . . . . . . . : Activé

C:\Users\grbofr>ping 192.168.11.200

Envoi d'une requête 'Ping'  192.168.11.200 avec 32 octets de données :

Réponse de 192.168.11.200 : octets=32 temps<1ms TTL=128

Réponse de 192.168.11.200 : octets=32 temps<1ms TTL=128

But I can not ping the cisco SA 540.

C:\Users\grbofr>ping 192.168.10.254

Envoi d'une requête 'Ping'  192.168.10.254 avec 32 octets de données :

Délai d'attente de la demande dépassé.

I disable firewall on my laptop using Windows 7 X64 and we are not using firewall linked to antivirus.

Should I create a route on my laptop ? Or on the cisco AS 540 to access remote network ?

Is there a specific firewalling rule to create on it ? I do not setup anything.

Regards,

Gregory

New Member

SA 540 and cisco vpn client issue

Just a note, I can not ping the gateway 192.168.11.1

New Member

SA 540 and cisco vpn client issue

Are you using Full or Split Tunnel on the VPN > IPSec > Dynamic IP Range page?  We are using Split Tunnel and found we had to reboot the device after selecting Split Tunnel and applying the change.

New Member

SA 540 and cisco vpn client issue

I configure it as full tunnel. As advised, I rebooted the device without success.

New Member

SA 540 and cisco vpn client issue

Some of our users had issues at some remote locations (like at Starbucks or other corporate environments) when we used Full Tunnel mode.  We had to switch to Split Tunnel and reboot the SA540 to ensure everyone gained access.  It also lessened the burden on our network because the Internet traffic wasn't being routed over the VPN connection.  I stopped troubleshooting after that.

Silver

SA 540 and cisco vpn client issue

Gregory,

Since you're still having trouble i would suggest giving the Cisco Small Business Support Center a call @ 1-866-606-1866 and open a support case with next available engineer. Also what Curtis was suggesting is a really good idea. Instead of full tunnel use split tunnel and reboot SA5xx and test.

Jasbryan

New Member

SA 540 and cisco vpn client issue

I tested split tunnel with reboot. I can connect but no gateway is given by the appliance.

Silver

SA 540 and cisco vpn client issue

Gregory,

You shouldn't have a gateway address -

Yeah give support a call @ 1-866-606-1866 and open a support case

Jasbryan

New Member

SA 540 and cisco vpn client issue

Hi,

I have exactly the same issue with my new cisco SA 540.

Have someone find a solution for the vpn connection with cisco vpn client?

Regards,

George

1202
Views
0
Helpful
10
Replies
CreatePlease to create content