Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Client VPN connected but not working

Hi Guys,

 

I have a PIX 515 firewall which has remote access VPN which worked fine. We then created a site to site tunnel to an ASA 5520 which is working fine. Remote access Client VPNs are working fine when connected to the PIX on Windows XP but i can't get Windows 7 computers to work. It says connected but i cannot reach any devices behind the PIX. I am running version 5 VPN client on Windows 7. I was told to turn off IPv6 on Windows 7. I did that in the registry but it did not work. Any ideas? Any help will be greatly appreciated.

 

Thanks,

Lake

26 REPLIES
VIP Green

Does the windows 7 machine

Does the windows 7 machine have up-to-date patches? If not, update the machine and then try the VPN again.

Which Windows 7 build are you running?  According to this link the 5.0.5 VPN client has been tested successfully on the 7048 build.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

I think the Windows machine

I think the Windows machine is update to date with Windows patches but i will check with the user. The user was using Cisco VPN client version 5.0.07.0290 but we just removed that and installed 5.0.07.0410. Is there a newer version and if so is it more reliable? Using the 5.0.07.0290 client the user can connect to an ASA VPN without any problems but it just wouldn't work on the PIX.

I think we have narrowed it

I think we have narrowed it down to a Windows 7 64 bit issue. It seems to work fine with Windows 7 32 bit but not 64 bit. Any ideas?

 

Thanks,

Lake

VIP Green

What software version are you

What software version are you running on the PIX?

*edit* - Also, have you tested from a different 64bit machine to make sure there isn't something faulty with the current one you are using?

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

The PIX is running version 6

The PIX is running version 6.3. Actually, one Windows 7 64 bit and one Windows 8 64 bit was working fine before we setup the site to site vpn which is connected to an remote ASA. Now the Windows 7 machine can connect fine to the ASA using client VPN but it just won't work with the PIX

New Member

Have for NAT traversal

Have for NAT traversal enabled on the firewall device?

Cisco VPN Client Connects but no traffic will Pass

 

Pete

 

Yes Sir, it is enabled.

Yes Sir, it is enabled. The Client VPN works perfectly fine with Windows 32 bit computers but not Windows 7 and 8 64 bit. I can connect to the VPN but i cannot reach any devices behind the PIX. If i login to the PIX i can ping the WIndows 64 bit computer. Any ideas? I have attached the PIX config.? Please advise?

 

Thanks,

Lake

Can someone please help me

Can someone please help me with this PIX remote access VPN? I just can't get it working with Windows 64 bit clients.

Any help will be greatly appreciated.

 

Thanks,

Lake

 

VIP Green

Well, if it works fine with

Well, if it works fine with the 32 bit machines there is no problem with the PIX configuration.

When you say you can ping the windows 64 bit computer, are  you pinging its VPN assigned IP? or a public IP on the internet?

When you try to connect using the 64bit computer do you see anything unusual in the log?

If you enable the client logging feature in the VPN client do you see anything that might point to what is causing the issue there?

Just for the sake of elimination, have you disabled the windows firewall on the 64 bit computer when trying to connect?

You can also try to uninstall and then reinstall the VPN client on the 64 bit machine. just remember to restart the computer after the uninstall, and then again after you install the vpn client again.

Also make sure that all windows updates are installed (not just the high priority ones).

This link has some more tips on troubleshooting RA VPN problems

http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access&seqNum=167

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Marius,Thanks for taking the

Marius,

Thanks for taking the time to help me with this.

If i ssh into the PIX i can ping the VPN client by it's VPN assigned IP Address.

I will get the user to turn on logging in the VPN client and look for any errors.

Yes, we did disable the Windows firewall and even the antivirus.

We had an older version of the VPN client and we removed that and installed the latest one from Cisco website without any success. We also have a second Windows 64 bit computer that is not working.

The computer is fully updated

Both of these computers were working fine before we setup the site to site VPN

Did you get a chance to take a look at my config?

 

Thanks,

Lake

 

 

VIP Green

How are you testing the RA

How are you testing the RA VPN connection? If using ping, what are you pinging?

Which IP pool are the 64 bit computers getting their IP from (dmz-pool or vpn-pool)?

If it is the dmz-pool, just for testing, could you add a more specific ACL entery for the no nat instead of using any as the source address:

access-list no-nat-acl permit ip any 192.168.7.0 255.255.255.0

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Marius,We are trying to ping

Marius,

We are trying to ping 192.168.2.3 which is on the inside network. The 32 bit computers are getting their IP Addresses from vpn-pool and i think the 64 bit is also getting their IPs from the same pool. I don't have a 64 bit computer but i will check with the user. I don't think we need the dmz pool. Should i just remove it or do you think i should still go ahead and add the access list command you mentioned?

I truelly appreciate all your help.

 

Thanks,

Lake

 

 

VIP Green

Should i just remove it or do

Should i just remove it or do you think i should still go ahead and add the access list command you mentioned?

As per your configuration the dmz-pool is configured to be used.

vpngroup dmz-group address-pool dmz-pool

You could remove it and then see if someone starts shouting at you, just remember to make a backup of the configuration in case you need to add it back in quickly.

You are missing the 192.168.2.0 subnet from you no nat statements

access-list no-nat-acl permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list no-nat-acl permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list no-nat-acl permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0 
access-list no-nat-acl permit ip any 192.168.7.0 255.255.255.0 

add a rule that includes the 2.0 network going to the 6.0 network and then test.

access-list no-nat-acl permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Marius, I removed the

Marius,

 

I removed the commands below and it still works for 32 bit clients. I am trying to get my colleague to test it. Since i don't need dmz-pool just removed it.  I will let you know how that goes.

no vpngroup dmz-group address-pool dmz-pool
no ip local pool dmz-pool 192.168.6.1-192.168.6.254

 

I added this one below.

access-list no-nat-acl permit ip 192.168.2.0 255.255.255.0 192.168.6.0 255.255.255.0

 

Thanks,

Lake

 

Marius, After i made the

Marius,

 

After i made the above changes to the PIX, The Windows 7 64 bit machine can ping one server in the network by IP Address only but cannot ping any other devices. That server server happens to be the domain controller and also DNS server. My colleague did ipconfig/all and he gets a DNS server IP Address in the vpn-pool. This is very strange. Any ideas?

 

Thanks,

Lake

VIP Green

It could be that the other

It could be that the other servers have the windows firewall enabled? If so then that will be blocking the ICMP packets.  Check that out and get back to me.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Marius, The firewall is

Marius,

 

The firewall is turned off on all servers. With Windows 32 bit bit clients i can ping all servers. It is only with 64 bit clients we have this issue.

 

Thanks,

Lake

VIP Green

I presume that the servers

I presume that the servers have and IP in the 192.168.2.0 subnet?

there are a couple things you can do to troubleshoot here.

First, while the remote host is connected to the VPN do a packet tracer from a server IP that is not working to the RA VPN client IP.

packet-tracer input inside tcp <server IP> 12345 <RA VPN client IP> 80 detail

second you can do a packet capture on the inside interface to see if traffic is leaving and entering the interface from the RA VPN client...or vice versa.

access-list CAP permit IP host < RA VPN CLIENT IP> host <server IP>

access-list CAP permit ip host <server IP> host RA VPN CLIENT IP>

capture CAPIN interface inside access-list CAP

show capture CAPIN

If you see traffic from the RA VPN client leaving the ASA inside interface but return traffic not entering the ASA, then there is a problem between the ASA and the server...or on the server itself.  If you see traffic leaving and return traffic entering the ASA, then there is a problem on the ASA.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Thank you Sir. I will try

Thank you Sir. I will try that and let you know.

Marius,Those commands did not

Marius,

Those commands did not work on the PIX. I think they might be ASA commands. I had the user connect with the VPN client and did a continuos ping to 192.168.2.3. I logged into 192.168.2.3 and did a Wireshark capture and i looked for the RA VPN client IP Address of 192.168.7.11. There was nothing in Wireshark. The traffic is not even getting to the server (192.168.2.3). Is there a debug i can try that might help?

Thanks,

Lake

 

VIP Green

The debugs will only show the

The debugs will only show the tunnel establishment and not any traffic information.

Are the servers using the PIX as their default gateway?

I am at a loss as to why the 64 bit machines are not working but the 32 bit machines are working.  This might be a bug.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

I believe the servers are

I believe the servers are using a Cisco switch as the gateway. I will double check that. 64 bit machines were working fine until we setup the site to site VPN.

VIP Green

But the 32 bit machines work

But the 32 bit machines work fine when connecting over the RA VPN?

If that is the case I would have to assume that this is a bug.

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

I need to get this working

I need to get this working but i don't know what to do.

VIP Green

As I said, this could very

As I said, this could very well be a bug but we are unable to confirm this as the PIX is now end of life / end of support.

I suggest trying a newer VPN client (5.0.7.0440)

http://software.cisco.com/download/release.html?mdfid=281940730&flowid=4466&softwareid=282364316&os=Windows&release=5.0.07.0440&relind=AVAILABLE&rellifecycle=&reltype=latest

If that doesn't work perhaps go to an earlier version of the VPN client such as 4.x

--

Please remember to select a correct answer and rate helpful posts

--

Please remember to rate and select a correct answer

Marius, We installed the VPN

Marius,

 

We installed the VPN client 5.0.7.0440 without success. We will try an older version and see.

 

Thanks,

Lake

1574
Views
0
Helpful
26
Replies
CreatePlease to create content