2 SR520's with H/W VPN and Windows 7 doesn't work

EddieGregory · ‎08-31-2010

Hello all,

I have 2 SR520's with a hardware VPN established. I have Windows XP Machines that work great in this setup, however, Windows 7 Machines aren't able to browse to all sites on the internet (i.e. Yahoo, Newegg, MSNBC, and others). The interesting part of this, is the Windows 7 machines resolve DNS to the sites, are able to ping and traceroute to the sites. They just won't open them in a browser.

Originally I was setting this up for a client, and I have replicated the issue in my lab.

I've attached my router configs for reference.

Any help is appreciated.

ED

Jennifer Halim · ‎08-31-2010

The following policy-map on Remote site should have the action of "inspect" instead of "pass":

policy-map type inspect sdm-permit_VT
class type inspect Easy_VPN_Remote_VT
pass

Hope that helps.

EddieGregory · ‎08-31-2010

Thanks Halijenn,

I'll try this first thing in the morning. FYI, I've also opened a TAC Incident, however, they were also confused as to why the XP machine worked as expected, where as the 7 box didn't.

Thanks again,

ED

EddieGregory · ‎09-01-2010

That didn't take care of it.

ED

EddieGregory · ‎09-01-2010

After many hours with TAC here is the solution. I have attached the before and after configs. I've highlighted the changes with "*****".

Great job to Andrew at Cisco TAC for hanging in there on this one, and thanks for the suggestions.

ED