Re: one minute delay with vpn client 4.6 (and 1720)

mmrozek · ‎09-24-2005

I'm connecting to a pix 515e at work from home using the cisco vpn client(4.6.03.0021). At home, I was previously using a linksys router and was able to connect to the PIX just fine. The linksys died on me so I'm using a cisco 1720. Since I've started using it, every time I connect to the PIX, it takes about a minute for the connection to start working. Until it works, I'm not able to connect to other computers on the PIX network. Also, before it works, I can see bytes only going out on the vpn client but no bytes coming in until it connects after a minute. Am I missing a setting? Why would it take a minute for the vpn client to start working after switching from a linksys to a cisco 1720?

jackko · ‎09-25-2005

have you got an inbound acl that permitting udp4500 and esp?

mmrozek · ‎09-25-2005

no, but I just added an acl permitting everything in just to test it and that didn't work either. you are talking about permitting that traffic into the outside interface, right? what's the port number for esp? I looked on www.iana.org and found 2797 but not sure that was it.

mmrozek · ‎10-01-2005

i've found that once in awhile, there is not a one minute delay. it will let me make my rdp connection immediately. then, if i disconnect the tunnel and reconnect a moment later, it will have the one minute delay again.

jackko · ‎10-01-2005

esp: ip 50

with acl, you can actually use esp with the protocol. e.g.

permit esp any any

permit esp any host 10.0.0.1

jackko · ‎10-01-2005

cisco ios router shouldn't have any issue with remote vpn. would you please post the config?

mmrozek · ‎10-02-2005

that's what i would think too! i also tried another version of the cisco vpn client and it does the same thing. below is the config. as you can see, i've been learning and playing with access-lists. at one time, i did have the first two access-lists applied to the e0 interface.

version 12.3

service timestamps debug uptime

no service timestamps log uptime

service password-encryption

!

hostname 1720

!

boot-start-marker

boot-end-marker

!

enable secret xxxx

!

memory-size iomem 15

no aaa new-model

ip subnet-zero

no ip source-route

!

no ip domain lookup

!

no ip bootp server

ip cef

!

username mrozek password xxxx

!

interface Ethernet0

description WAN

ip address dhcp

ip nat outside

full-duplex

!

interface FastEthernet0

description LAN

ip address 10.10.1.97 255.255.255.240

ip access-group f0-in-0 in

ip nat inside

speed auto

!

ip nat inside source list nat-output interface Ethernet0 overload

ip nat inside source static tcp 10.10.1.99 3389 interface Ethernet0 3389

ip nat inside source static tcp 10.10.1.99 80 interface Ethernet0 80

ip nat inside source static tcp 10.10.1.99 21 interface Ethernet0 21

ip classless

no ip http server

!

ip access-list extended e0-in-0

permit udp any any eq non500-isakmp

permit esp any any

ip access-list extended e0-in-1

permit ip any any

permit esp any any

ip access-list extended f0-in-0

permit ip any any

ip access-list extended f0-in-1

permit ip any any log

ip access-list extended f0-in-2

permit tcp any any eq telnet

permit tcp any any eq www

permit udp any any eq domain

permit udp any any eq isakmp

permit tcp any any eq smtp

permit tcp any any eq pop3

permit udp any any eq netbios-ns

permit tcp any any eq 1206

permit udp any any eq 62515

permit udp any any eq 1900

permit udp any any eq 10000

permit tcp any any eq 3389

permit icmp any any

deny ip any any

ip access-list extended nat-output

permit ip 10.10.1.96 0.0.0.15 any

logging trap debugging

logging 10.10.1.99

no cdp run

banner motd

This is a private system operated for and by the initial installer.

Authorization from the initial installer is required to use this system.

Use by unauthorized persons is prohibited.

!

line con 0

line aux 0

line vty 0 4

password xxxx

login

!

end

jackko · ‎10-02-2005

i was thinking the issue maybe related to cbac, however, the router config is very straight forward.

another possibility i can think of is the isakmp keepalive parameter configured on the pix. again, it was working fine with the linksys.

i guess it is worth to upgrade the ios of the router. maybe start off with look at the ios bug tools.

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

mmrozek · ‎10-03-2005

i checked out the ios bug tool but couldn't find anything. i was using 12.3(15a) and i just upgraded tonight to 12.3(16) - still no difference.

i would think someone else would experience this issue with it being such a basic setup.

another thing i changed the same time i switched out my linksys for my cisco was my subnet. i was using a 10.0.31.0/24 and changed it to 10.10.1.96/28. that wouldn't cause a problem, would it?

jackko · ‎10-03-2005

it will become an issue if the vpn assigned ip address is overlapping with the lan ip.

mmrozek · ‎10-04-2005

that shouldn't be an issue; the ip assigned through the pix is 192.168.254.0/24 and the network behind the pix is 192.168.1.0/24. back to the drawing board. i'm going to keep posting my progess in hopes of finding this though.

mmrozek · ‎10-04-2005

i just tried updating my cisco vpn client to version 4.7 but i still have the same problem. i'm thinking my next step is to do some sniffing and see what the packets are doing.

jackko · ‎10-04-2005

the issue maybe with the pc. have you speak to the admin and whether any other user reported the same issue?

to verify, establish a dial-up connection from your pc and then try the vpn.

mmrozek · ‎10-07-2005

i am the admin and no other person has complained of this issue.

i changed my subnet at home (10.10.10.0/24) just for giggles and that didn't make a difference either, to no surprise.

i will try both the dial-up idea and using another computer this weekend.

mmrozek · ‎10-07-2005

i just tried using a completely different laptop and i get the same exact result! it still takes about a minute before i can use the rdp connection through the tunnel.