09-24-2005 07:04 PM
I'm connecting to a pix 515e at work from home using the cisco vpn client(4.6.03.0021). At home, I was previously using a linksys router and was able to connect to the PIX just fine. The linksys died on me so I'm using a cisco 1720. Since I've started using it, every time I connect to the PIX, it takes about a minute for the connection to start working. Until it works, I'm not able to connect to other computers on the PIX network. Also, before it works, I can see bytes only going out on the vpn client but no bytes coming in until it connects after a minute. Am I missing a setting? Why would it take a minute for the vpn client to start working after switching from a linksys to a cisco 1720?
09-25-2005 03:24 PM
have you got an inbound acl that permitting udp4500 and esp?
09-25-2005 04:23 PM
no, but I just added an acl permitting everything in just to test it and that didn't work either. you are talking about permitting that traffic into the outside interface, right? what's the port number for esp? I looked on www.iana.org and found 2797 but not sure that was it.
10-01-2005 04:44 PM
i've found that once in awhile, there is not a one minute delay. it will let me make my rdp connection immediately. then, if i disconnect the tunnel and reconnect a moment later, it will have the one minute delay again.
10-01-2005 07:14 PM
esp: ip 50
with acl, you can actually use esp with the protocol. e.g.
permit esp any any
permit esp any host 10.0.0.1
10-01-2005 07:17 PM
cisco ios router shouldn't have any issue with remote vpn. would you please post the config?
10-02-2005 03:25 AM
that's what i would think too! i also tried another version of the cisco vpn client and it does the same thing. below is the config. as you can see, i've been learning and playing with access-lists. at one time, i did have the first two access-lists applied to the e0 interface.
version 12.3
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname 1720
!
boot-start-marker
boot-end-marker
!
enable secret xxxx
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
!
no ip bootp server
ip cef
!
username mrozek password xxxx
!
!
!
interface Ethernet0
description WAN
ip address dhcp
ip nat outside
full-duplex
!
interface FastEthernet0
description LAN
ip address 10.10.1.97 255.255.255.240
ip access-group f0-in-0 in
ip nat inside
speed auto
!
ip nat inside source list nat-output interface Ethernet0 overload
ip nat inside source static tcp 10.10.1.99 3389 interface Ethernet0 3389
ip nat inside source static tcp 10.10.1.99 80 interface Ethernet0 80
ip nat inside source static tcp 10.10.1.99 21 interface Ethernet0 21
ip classless
no ip http server
!
!
ip access-list extended e0-in-0
permit udp any any eq non500-isakmp
permit esp any any
ip access-list extended e0-in-1
permit ip any any
permit esp any any
ip access-list extended f0-in-0
permit ip any any
ip access-list extended f0-in-1
permit ip any any log
ip access-list extended f0-in-2
permit tcp any any eq telnet
permit tcp any any eq www
permit udp any any eq domain
permit udp any any eq isakmp
permit tcp any any eq smtp
permit tcp any any eq pop3
permit udp any any eq netbios-ns
permit tcp any any eq 1206
permit udp any any eq 62515
permit udp any any eq 1900
permit udp any any eq 10000
permit tcp any any eq 3389
permit icmp any any
deny ip any any
ip access-list extended nat-output
permit ip 10.10.1.96 0.0.0.15 any
logging trap debugging
logging 10.10.1.99
no cdp run
banner motd
This is a private system operated for and by the initial installer.
Authorization from the initial installer is required to use this system.
Use by unauthorized persons is prohibited.
!
line con 0
line aux 0
line vty 0 4
password xxxx
login
!
end
10-02-2005 10:52 PM
i was thinking the issue maybe related to cbac, however, the router config is very straight forward.
another possibility i can think of is the isakmp keepalive parameter configured on the pix. again, it was working fine with the linksys.
i guess it is worth to upgrade the ios of the router. maybe start off with look at the ios bug tools.
10-03-2005 06:03 PM
i checked out the ios bug tool but couldn't find anything. i was using 12.3(15a) and i just upgraded tonight to 12.3(16) - still no difference.
i would think someone else would experience this issue with it being such a basic setup.
another thing i changed the same time i switched out my linksys for my cisco was my subnet. i was using a 10.0.31.0/24 and changed it to 10.10.1.96/28. that wouldn't cause a problem, would it?
10-03-2005 11:20 PM
it will become an issue if the vpn assigned ip address is overlapping with the lan ip.
10-04-2005 04:16 AM
that shouldn't be an issue; the ip assigned through the pix is 192.168.254.0/24 and the network behind the pix is 192.168.1.0/24. back to the drawing board. i'm going to keep posting my progess in hopes of finding this though.
10-04-2005 04:57 PM
i just tried updating my cisco vpn client to version 4.7 but i still have the same problem. i'm thinking my next step is to do some sniffing and see what the packets are doing.
10-04-2005 07:10 PM
the issue maybe with the pc. have you speak to the admin and whether any other user reported the same issue?
to verify, establish a dial-up connection from your pc and then try the vpn.
10-07-2005 05:24 AM
i am the admin and no other person has complained of this issue.
i changed my subnet at home (10.10.10.0/24) just for giggles and that didn't make a difference either, to no surprise.
i will try both the dial-up idea and using another computer this weekend.
10-07-2005 06:39 PM
i just tried using a completely different laptop and i get the same exact result! it still takes about a minute before i can use the rdp connection through the tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide