Can't ping or remotely control some VPN client machines

Jake Pratt · ‎02-16-2012

We have been using the VPN client for a very long time. Our most current VPN setup is using an ASA 5510, without split tunneling. We tunnel all traffic. We are using IPSec group authentication off of an AD domain controller.

Recently I have been having some issues with some of the client machines, and I can't for the life of me figure out what the issue is. Some machines will not respond to pings, and I cannot remotely access the machines (using Dameware Remote Control) while they are connected to the VPN. Other client machines work fine. In fact there have been a couple instances where I have two machines in a remote office, using the same internet connection, both connected to the VPN, where I can ping and remotely manage one machine, but not the other. If RDP is enabled, I can sometimes get into those problem machines via RDP. But this is crippling our ability to remotely support many of our VPN users, and I just don't know what to look for.

I have tried disabling Windows firewall completely, and that does not seem to help at all. The only other thing I can think of is I recently upgraded our McAfee software. But it does not prevent us from getting connected to or pinging any of the systems on our physical network, nor to half of our VPN users. Does anyone have any ideas of where to look? Most of our clients are running Windows 7, or Vista, and using the client version 5.0.07.0290, or 5.0.05.0290. Most of the clients using 5.0.07.0290 are using the 64-bit version.

Thanks in advance.

Jake Pratt · ‎02-16-2012

Here's a small update with a little additional information. I just took a look at my currently connected clients. Right now, I only have 5. 3 of them will reply to pings, 2 of them will not. All the clients that are responding are using 5.0.0.7.0290. 1 of the clients that is not responding is using 5.0.0.7.0290, and 1 is using 5.0.0.5.0290. And I think all 5 clients are using the 32-bit client. All 5 of the clients are also using our new McAfee software. I talked to one of our techs, and it appears this was a problem before we deployed the new McAfee software, so I doubt it's related.

And two of these clients are in the same office, connecting from the same public IP address. One responds to pings, one does not. They are both using the same version of the client as well (5.0.0.7). I'm stumped.

rohaverm · ‎02-16-2012

There are some incompatibilty issues of VPN Client with Windows 7 adapter. Try this link, though third party it might prove to be useful

http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

RV

Jake Pratt · ‎02-16-2012

Great, thanks for the advice. I will do some testing with that next, and report back.

Jake Pratt · ‎02-16-2012

Thanks again for the info. It does appear that the machines having problems are Windows 7 machines, although I can't confirm that 100%, without a bunch more investigating.

I gave that a try (using the Citrix DNE update), both with and without deleting the ndis drivers. It does not fix the ping/remote control problem. So I tried two more things. I updated to the latest 5.0.0.7.0440 (64-bit), which didn't work. I also tried running the VPN client as administrator. That also did not work.

Does anyone have any other ideas why I wouldn't be able to ping Windows 7 machines once they are on the VPN?

Jake Pratt · ‎02-27-2012

Man, I have looked all over these forums. The only thing I can find says to install the Citrix DNE update, as you stated, and as listed in this other discussion: https://supportforums.cisco.com/message/3036435#3036435

I have tried that on about 3 different Windows 7 machines. The weird thing is, it "kind of" worked on one of the machines, but completely did not on the other 2. On the "kind of worked" machine, I still couldn't ping it, but I COULD remotely connect to the machine. Obviously, remote control is more important to me than ICMP, but ping is still a very useful tool.

If anyone else has any additional ideas, I would really love to hear them. I'm really stuck on this, and it crippling us.

Thanks again!

fb_webuser · ‎02-16-2012

Are the default gateways on the inside hosts correctly set? Have you set a VPN list on the ASA's group-policy? Have you set up a NAT exclusion rule on the inside hosts -> the VPN Client subnet?

---

Posted by WebUser Jake Bunce

fb_webuser · ‎02-16-2012

Are the default gateways on the inside hosts correctly set? Have you set a VPN list on the ASA's group-policy? Have you set up a NAT exclusion rule on the inside hosts -> the VPN Client subnet?

---

Posted by WebUser Jake Bunce

Jake Pratt · ‎02-21-2012

Thanks for the replies. Sorry for my delayed response. I've been out of town.

All of this stuff is setup correctly, and working. The default gateways are setup, I have the correct VPN list on group-policy, and I have a NONAT ACL set up for the VPN subnet. This is the only VPN group I use for all my clients. And everyone can connect just fine. And with Vista users, I can ping them, and remotely access their machines. But for some reason, I can't ping Windows 7 machines or remotely access them.

As I mentioned above, I tried the whole installing the Citrix DNE update trick, but that didn't work either.

Jake Pratt · ‎02-28-2012

Ok, I think I may have gotten this working. I got it working on one machine, anyway. I'm going to keep messing around with it on some other machines. I think maybe the step I was missing, is after you run the "winfix.exe" to remove the CitrixDNE stuff, it gives you the old "this program did not run properly, click here to run with recommended settings" window. I tried running it again with recommended settings, and it seems to have worked.

It got me to the point where my other machine that I got working was: I could remote into it, but not ping it. I realized that the ping replies were due to Windows Firewall settings. My AD group policy to allow ICMP requests, was only set on the domain profile, not the standard profile. Since the computer is not using the domain profile to connect to the VPN, it doesn't use that domain group policy. After I made those firewall group policy settings, I could now ping and remote into the machine.

So here are the basic steps I've followed (taken and modified from https://supportforums.cisco.com/message/3036435#3036435):

1.Uninstall the previous version of Cisco VPN client (and delete all VPN program files)

2.Reboot

3.Run Citrix DNE - ftp://files.citrix.com/winfix.exe

(re-run using recommended settings)

4.Reboot

5.Install Citrix DNE Update:

32bit update - ftp://files.citrix.com/dneupdate.msi

ftp://files.citrix.com/dneupdate.msi64bit update - ftp://files.citrix.com/dneupdate64.msi

6.Reboot

7.Install the Cisco VPN Client (i used 5.0.07.0440 64-bit)

8.Reboot

9.Rebuild the connection profile, or copy from another machine

After all that, it worked on this latest machine I tried it on. I will try it with a few more machines and see if I can determine that will work for sure on all my machines. Thanks for everyone's help!

Jake Pratt · ‎02-29-2012

I think more and more, this was a Windows Firewall problem. The DNE update seems to have fixed a couple issues. I had one machine that couldn't connect over her Verizon air card, but the DNE update, and a newer version of the VPN client fixed it. But for many of these Windows 7 machines that I haven't been able to connect to, it seems that a Firewall policy update fixes it.

Earlier in the discussion I stated that I had the remote users disable their firewall, but looking back, I think they only disabled it on the "Domain" profile, not the "Private" or "Public" profile. That that's the profile their computer is using before it gets on the VPN. So after pushing out the firewall policy to not just the "domain" policy, but also the "standard" policy, as stated above, it seems to be fixing the problem on many of the machines. That's a much easier fix than the DNE update and 4 reboots. Thanks to everyone for their help. Hopefully this info will help someone else in a similar boat.