03-28-2012 12:23 PM
Hi,
not able to connect a remote user to our network. All other remote users are able to connect so I know the tunnel is up. When this user tries to connect using the cisco vpn client, I see their traffic coming through with the sh crytpo ipsec sa peer peer address. I can see their peer address and I can see their dhcp local allocated address - allocated from the firewall, and I can ping their peer address but I can't ping the dhcp allocated address.
Any ideas?
Thanks, Pat.
03-28-2012 12:50 PM
Hi,
Are all the users in question (both working ones and this problematic one) part of the same tunnel-group?
Are all users applied with the same group-policy settings?
Is the VPN Client connection type tunnel all/full tunnel or split-tunnel?
Can you ping the working VPN Client hosts VPN DHCP pool address? Though I guess its possible that depending on the users local computer settings they might not even reply to echo requests even if they were going through.
Where are you pinging the VPN Clients from?
With the "show crypto ipsec sa peer x.x.x.x" command, can you see any packets arriving to your end (beeing decrypted/decapsulated) ? Or is it just your ICMP echo requests that are beeing sent to the VPN connection but dont get any return traffic?
03-29-2012 03:22 AM
Thanks for the response:
Are all the users in question (both working ones and this problematic one) part of the same tunnel-group? Yes
Are all users applied with the same group-policy settings? It is a dynamic VPN allowing all many forms of encyption.
Is the VPN Client connection type tunnel all/full tunnel or split-tunnel? It is not a split tunnel
Can you ping the working VPN Client hosts VPN DHCP pool address? No, I can not ping the remote hosts address but I can ping the peer address.
Where are you pinging the VPN Clients from? From another host on our network. I can ping other users host address and peer address.
With the "show crypto ipsec sa peer x.x.x.x" command, can you see any packets arriving to your end (beeing decrypted/decapsulated) ? Or is it just your ICMP echo requests that are beeing sent to the VPN connection but dont get any return traffic? I see them being decrypted/decapsulated.
Should I also check traceroute to the local and peer addresses? I forgot to do that.
03-29-2012 03:33 AM
Email from user stating screen message:
tried to sign in again - VPN Client connects fine, but Fusion states "not connected to the network", even though VPN connected
Crypto map tag: OUTSIDE_dyn_map, seq num: 40, local addr: XX.XX.XX.XX
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.XX.XX/255.255.255.255/0/0)
current_peer: 74.47.XX.XX, username: XXXXXXX
dynamic allocated peer ip: 10.10.XX.XX
#pkts encaps: 548, #pkts encrypt: 548, #pkts digest: 548
#pkts decaps: 624, #pkts decrypt: 624, #pkts verify: 624
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 548, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: 74.47.XX.XX
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F9F18F20
current inbound spi : B27E9C25
inbound esp sas:
spi: 0xB27E9C25 (2994641957)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 166191104, crypto-map: OUTSIDE_dyn_map
sa timing: remaining key lifetime (sec): 2902
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x1FFFFFFF 0xFFFFFFFD
outbound esp sas:
spi: 0xF9F18F20 (4193357600)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 166191104, crypto-map: OUTSIDE_dyn_map
sa timing: remaining key lifetime (sec): 2902
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thanks, Pat.
03-29-2012 04:20 AM
Hi,
Atleast by the looks of the above show command output, traffic is going to and from the client.
So seems the VPN is working.
I dont think pinging the peer address tells everything. You could be pinging an ASDL modem or a firewall outside interface depending on where the user is connecting from. And those devices dont necesarily allow ICMP echos
Ofcourse client computer dont always allow ICMP either, but that should be easier to check and correct if needed.
This might be a stupid question but what is "Fusion"?
Have you tried connecting to some service on your network from the VPN client computer while the VPN is active? I mean can you load some web page, ping some networking device from the client?
Is there any VPN filter rules or access-lists that might prevent traffic?
I guess the easiest way to rule out some problems would be to see the actual configuration.
03-29-2012 07:51 AM
Thanks for the response,
Fusion is the app they use for transcription
The user could not connect to any service on our network
If there were VPN filter rules, it would block all remote users, right?
What configuration example would you need?
thanks
03-31-2012 10:18 AM
We finally got to the bottom of it. We asked the remote user to take a picture of her set up and we noticed she had the Comcast router plugged into an Airport wifi router and her PC was plugged into the Airport router. So, I gather there was two gateways? We had her unplug the Airport and put her PC in the Comcast router and all was good. But we had her in the DMZ without her Windows firewall on. Then we took her out of the DMZ. Although she was able to connect remotely and get to anything on our network, we still couldn't ping her as soon as we took her out of the DMZ. Which is ok.
Thanks, Pat.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide