09-29-2014 06:41 AM
Hi Guys,
I have a PIX 515 firewall which has remote access VPN which worked fine. We then created a site to site tunnel to an ASA 5520 which is working fine. Remote access Client VPNs are working fine when connected to the PIX on Windows XP but i can't get Windows 7 computers to work. It says connected but i cannot reach any devices behind the PIX. I am running version 5 VPN client on Windows 7. I was told to turn off IPv6 on Windows 7. I did that in the registry but it did not work. Any ideas? Any help will be greatly appreciated.
Thanks,
Lake
10-02-2014 10:55 AM
Marius,
After i made the above changes to the PIX, The Windows 7 64 bit machine can ping one server in the network by IP Address only but cannot ping any other devices. That server server happens to be the domain controller and also DNS server. My colleague did ipconfig/all and he gets a DNS server IP Address in the vpn-pool. This is very strange. Any ideas?
Thanks,
Lake
10-02-2014 11:46 AM
It could be that the other servers have the windows firewall enabled? If so then that will be blocking the ICMP packets. Check that out and get back to me.
--
Please remember to select a correct answer and rate helpful posts
10-02-2014 11:51 AM
Marius,
The firewall is turned off on all servers. With Windows 32 bit bit clients i can ping all servers. It is only with 64 bit clients we have this issue.
Thanks,
Lake
10-02-2014 12:06 PM
I presume that the servers have and IP in the 192.168.2.0 subnet?
there are a couple things you can do to troubleshoot here.
First, while the remote host is connected to the VPN do a packet tracer from a server IP that is not working to the RA VPN client IP.
packet-tracer input inside tcp <server IP> 12345 <RA VPN client IP> 80 detail
second you can do a packet capture on the inside interface to see if traffic is leaving and entering the interface from the RA VPN client...or vice versa.
access-list CAP permit IP host < RA VPN CLIENT IP> host <server IP>
access-list CAP permit ip host <server IP> host RA VPN CLIENT IP>
capture CAPIN interface inside access-list CAP
show capture CAPIN
If you see traffic from the RA VPN client leaving the ASA inside interface but return traffic not entering the ASA, then there is a problem between the ASA and the server...or on the server itself. If you see traffic leaving and return traffic entering the ASA, then there is a problem on the ASA.
--
Please remember to select a correct answer and rate helpful posts
10-02-2014 12:22 PM
Thank you Sir. I will try that and let you know.
10-03-2014 07:14 AM
Marius,
Those commands did not work on the PIX. I think they might be ASA commands. I had the user connect with the VPN client and did a continuos ping to 192.168.2.3. I logged into 192.168.2.3 and did a Wireshark capture and i looked for the RA VPN client IP Address of 192.168.7.11. There was nothing in Wireshark. The traffic is not even getting to the server (192.168.2.3). Is there a debug i can try that might help?
Thanks,
Lake
10-04-2014 10:05 AM
The debugs will only show the tunnel establishment and not any traffic information.
Are the servers using the PIX as their default gateway?
I am at a loss as to why the 64 bit machines are not working but the 32 bit machines are working. This might be a bug.
--
Please remember to select a correct answer and rate helpful posts
10-06-2014 08:17 AM
I believe the servers are using a Cisco switch as the gateway. I will double check that. 64 bit machines were working fine until we setup the site to site VPN.
10-06-2014 12:43 PM
But the 32 bit machines work fine when connecting over the RA VPN?
If that is the case I would have to assume that this is a bug.
--
Please remember to select a correct answer and rate helpful posts
10-07-2014 01:07 PM
I need to get this working but i don't know what to do.
10-07-2014 11:56 PM
As I said, this could very well be a bug but we are unable to confirm this as the PIX is now end of life / end of support.
I suggest trying a newer VPN client (5.0.7.0440)
If that doesn't work perhaps go to an earlier version of the VPN client such as 4.x
--
Please remember to select a correct answer and rate helpful posts
10-09-2014 06:55 AM
Marius,
We installed the VPN client 5.0.7.0440 without success. We will try an older version and see.
Thanks,
Lake
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide