Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

one minute delay with vpn client 4.6 (and 1720)

I'm connecting to a pix 515e at work from home using the cisco vpn client(4.6.03.0021). At home, I was previously using a linksys router and was able to connect to the PIX just fine. The linksys died on me so I'm using a cisco 1720. Since I've started using it, every time I connect to the PIX, it takes about a minute for the connection to start working. Until it works, I'm not able to connect to other computers on the PIX network. Also, before it works, I can see bytes only going out on the vpn client but no bytes coming in until it connects after a minute. Am I missing a setting? Why would it take a minute for the vpn client to start working after switching from a linksys to a cisco 1720?

26 REPLIES
Gold

Re: one minute delay with vpn client 4.6 (and 1720)

have you got an inbound acl that permitting udp4500 and esp?

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

no, but I just added an acl permitting everything in just to test it and that didn't work either. you are talking about permitting that traffic into the outside interface, right? what's the port number for esp? I looked on www.iana.org and found 2797 but not sure that was it.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i've found that once in awhile, there is not a one minute delay. it will let me make my rdp connection immediately. then, if i disconnect the tunnel and reconnect a moment later, it will have the one minute delay again.

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

esp: ip 50

with acl, you can actually use esp with the protocol. e.g.

permit esp any any

permit esp any host 10.0.0.1

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

cisco ios router shouldn't have any issue with remote vpn. would you please post the config?

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

that's what i would think too! i also tried another version of the cisco vpn client and it does the same thing. below is the config. as you can see, i've been learning and playing with access-lists. at one time, i did have the first two access-lists applied to the e0 interface.

version 12.3

service timestamps debug uptime

no service timestamps log uptime

service password-encryption

!

hostname 1720

!

boot-start-marker

boot-end-marker

!

enable secret xxxx

!

memory-size iomem 15

no aaa new-model

ip subnet-zero

no ip source-route

!

!

no ip domain lookup

!

no ip bootp server

ip cef

!

username mrozek password xxxx

!

!

!

interface Ethernet0

description WAN

ip address dhcp

ip nat outside

full-duplex

!

interface FastEthernet0

description LAN

ip address 10.10.1.97 255.255.255.240

ip access-group f0-in-0 in

ip nat inside

speed auto

!

ip nat inside source list nat-output interface Ethernet0 overload

ip nat inside source static tcp 10.10.1.99 3389 interface Ethernet0 3389

ip nat inside source static tcp 10.10.1.99 80 interface Ethernet0 80

ip nat inside source static tcp 10.10.1.99 21 interface Ethernet0 21

ip classless

no ip http server

!

!

ip access-list extended e0-in-0

permit udp any any eq non500-isakmp

permit esp any any

ip access-list extended e0-in-1

permit ip any any

permit esp any any

ip access-list extended f0-in-0

permit ip any any

ip access-list extended f0-in-1

permit ip any any log

ip access-list extended f0-in-2

permit tcp any any eq telnet

permit tcp any any eq www

permit udp any any eq domain

permit udp any any eq isakmp

permit tcp any any eq smtp

permit tcp any any eq pop3

permit udp any any eq netbios-ns

permit tcp any any eq 1206

permit udp any any eq 62515

permit udp any any eq 1900

permit udp any any eq 10000

permit tcp any any eq 3389

permit icmp any any

deny ip any any

ip access-list extended nat-output

permit ip 10.10.1.96 0.0.0.15 any

logging trap debugging

logging 10.10.1.99

no cdp run

banner motd

This is a private system operated for and by the initial installer.

Authorization from the initial installer is required to use this system.

Use by unauthorized persons is prohibited.

!

line con 0

line aux 0

line vty 0 4

password xxxx

login

!

end

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

i was thinking the issue maybe related to cbac, however, the router config is very straight forward.

another possibility i can think of is the isakmp keepalive parameter configured on the pix. again, it was working fine with the linksys.

i guess it is worth to upgrade the ios of the router. maybe start off with look at the ios bug tools.

http://www.cisco.com/cgi-bin/Support/Bugtool/home.pl

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i checked out the ios bug tool but couldn't find anything. i was using 12.3(15a) and i just upgraded tonight to 12.3(16) - still no difference.

i would think someone else would experience this issue with it being such a basic setup.

another thing i changed the same time i switched out my linksys for my cisco was my subnet. i was using a 10.0.31.0/24 and changed it to 10.10.1.96/28. that wouldn't cause a problem, would it?

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

it will become an issue if the vpn assigned ip address is overlapping with the lan ip.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

that shouldn't be an issue; the ip assigned through the pix is 192.168.254.0/24 and the network behind the pix is 192.168.1.0/24. back to the drawing board. i'm going to keep posting my progess in hopes of finding this though.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i just tried updating my cisco vpn client to version 4.7 but i still have the same problem. i'm thinking my next step is to do some sniffing and see what the packets are doing.

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

the issue maybe with the pc. have you speak to the admin and whether any other user reported the same issue?

to verify, establish a dial-up connection from your pc and then try the vpn.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i am the admin and no other person has complained of this issue.

i changed my subnet at home (10.10.10.0/24) just for giggles and that didn't make a difference either, to no surprise.

i will try both the dial-up idea and using another computer this weekend.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i just tried using a completely different laptop and i get the same exact result! it still takes about a minute before i can use the rdp connection through the tunnel.

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

using another laptop still get the same result indicates that the issue is not on the pc.

just wondering if this test above was connected to the cisco router or dial-up connection.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i finally got my correct dial-up credentials and was able to test with a dial-up connection; the results are i did not have any problem with my vpn tunnel while using dial-up.

on four separate times, i connected the vpn tunnel and then successfully connected to the remote computer within 10 seconds.

so using the process of elimination, the problem is not:

1. my laptop (because the same thing occurs on a different machine)

2. a specific cisco ios (because i've tried two different ios')

3. my dsl connection (because i didn't have this problem with my linksys router)

4. a specific cisco vpn client (because i've tried three different clients)

i can't see anything in my config that would cause a problem here and i can't imagine it be a hardware issue.

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

since it's used to work when linksys in place with the same laptop, isp, and vpn server. maybe replace the cisco router with another router/modem to test it.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i was hoping to not have to do that since i don't really have another router available at the moment but i'll see if i can purchase a linksy befsx41 and use that to test it. do you have any other ideas if the linksys does work? i'd really like to figure this out both to benefit me and others that have the same issue (if there are others).

i do appreciate the time you've given me so far! thank you.

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

you're welcome, however, i wasn't that helpful as i really don't know what went wrong.

do you have another remote vpn access you can test? e.g. connect to a different office.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

i'm still working on getting another router. might even be able to get my hands on a cisco 800 series.

did some more googling and found a suggestion like yours (jackko) but covers a wider range of vpn tunnels (or so it seems to me):

permit esp any any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit udp any any eq 10000

permit tcp any any eq 1723

permit gre any any

i tried to apply this to the incoming traffic on my outside interface (where i'm assuming it should be applied). however, i'm confused how you let normal traffic in. i would like to add permit ip any any at the bottom of the above access-list but i'm worred that is a massive security flaw, right? so then, do i just add the additional protocols i need to let into the network? i would guess so.

anyways, i don't want to let me inexperience get me too far off the topic. i just want my cisco vpn client to work right! :)

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

"permit udp any any eq 10000" is for ipsec over tcp, which (from memory) only available from vpn concentrator

"permit tcp any any eq 1723" and "permit gre any any" are for pptp vpn, not ipsec vpn.

confused how you let normal traffic in?

providing you've got cbac configured, you don't really need to worry about the inbound acl permitting the return traffic. inbound acl is only required when the connection is initiated from the internet.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

you're right about udp 10000 because i've seen that same information on other sites. thanks for clearing up the other protocols as well.

i am confused because i thought i had the basic idea of access-lists down. i know there is an implication at the end of each access-list that denies everything that is not on the access-list. and when i applied the access-list i mentioned in my previous post, all traffic was stopped. that is consistent with what i thought but not with what you're saying (about inbound acl is only required when the connection is initiated from the internet). i don't want to pull you too far off track though so don't let me do that.

until i get my next router, i'm going to keep optimistically searching google for this same issue.

Gold

Re: one minute delay with vpn client 4.6 (and 1720)

please excuse me for not being clear.

assuming there is no cbac or any acl, then all traffic in/out are permitted as router.

if cbac is enabled, then inbound acl will be required if and only if there will be outside initiated traffic, not return traffic. e.g. if there is a web server behind the router, then you'll need to configure inbound acl. otherwise, no inbound acl is required. the reason being cbac will permit the return traffic. e.g. when an internal user tries to access the internet, the router will permit this particular server response to come back as cbac can recognise the traffic.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

thanks for the explanation jackko. that makes perfect sense. i just found a great cisco document (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c/scprt3/sccbac.htm) that explains everything about the cbac. i'm also taking the cisco safe exam this friday and they mention cbac as a method for attack mitigation.

my IOS feature set doesn't include much security because i had a very difficult time finding an IOS for the 1720 (8m flash, 16m memory) that supported both the security features i wanted and the ethernet card i'm using for my wan interface.

well, i don't think i'm going to get the cisco 800 series router for awhile but i think i'm going to be able to borrow an old 3620. that will be the router i can use the test the vpn tunnel through.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

just for the record, i know the dialup test already did the job but i'm at the local library right now (which has a hotspot) and i can use my vpn tunnel immediately after connecting it.

i'll have the 3620 ready in a couple of days.

New Member

Re: one minute delay with vpn client 4.6 (and 1720)

well, i'm officially closing this one because I will not be able to get my hands on another router at the moment and even if i do, it still won't give me a good enough lead. thanks for all your help jackko.

234
Views
10
Helpful
26
Replies