Thanks for the response:

Are all the users in question (both working ones and this problematic one) part of the same tunnel-group? Yes

Are all users applied with the same group-policy settings? It is a dynamic VPN allowing all many forms of encyption.

Is the VPN Client connection type tunnel all/full tunnel or split-tunnel? It is not a split tunnel

Can you ping the working VPN Client hosts VPN DHCP pool address? No, I can not ping the remote hosts address but I can ping the peer address.

Where are you pinging the VPN Clients from? From another host on our network. I can ping other users host address and peer address.

With the "show crypto ipsec sa peer x.x.x.x" command, can you see any packets arriving to your end (beeing decrypted/decapsulated) ? Or is it just your ICMP echo requests that are beeing sent to the VPN connection but dont get any return traffic? I see them being decrypted/decapsulated.

Should I also check traceroute to the local and peer addresses? I forgot to do that.

Email from user stating screen message:

tried to sign in again - VPN Client connects fine, but Fusion states "not connected to the network", even though VPN connected

Crypto map tag: OUTSIDE_dyn_map, seq num: 40, local addr: XX.XX.XX.XX

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.XX.XX/255.255.255.255/0/0)
      current_peer: 74.47.XX.XX, username: XXXXXXX

      dynamic allocated peer ip: 10.10.XX.XX

      #pkts encaps: 548, #pkts encrypt: 548, #pkts digest: 548
      #pkts decaps: 624, #pkts decrypt: 624, #pkts verify: 624
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 548, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: 74.47.XX.XX

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: F9F18F20
      current inbound spi : B27E9C25

    inbound esp sas:
      spi: 0xB27E9C25 (2994641957)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 166191104, crypto-map: OUTSIDE_dyn_map
         sa timing: remaining key lifetime (sec): 2902
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x1FFFFFFF 0xFFFFFFFD
    outbound esp sas:
      spi: 0xF9F18F20 (4193357600)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 166191104, crypto-map: OUTSIDE_dyn_map
         sa timing: remaining key lifetime (sec): 2902
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Thanks, Pat.

Hi,

Atleast by the looks of the above show command output, traffic is going to and from the client.

So seems the VPN is working.

I dont think pinging the peer address tells everything. You could be pinging an ASDL modem or a firewall outside interface depending on where the user is connecting from. And those devices dont necesarily allow ICMP echos

Ofcourse client computer dont always allow ICMP either, but that should be easier to check and correct if needed.

This might be a stupid question but what is "Fusion"?

Have you tried connecting to some service on your network from the VPN client computer while the VPN is active? I mean can you load some web page, ping some networking device from the client?

Is there any VPN filter rules or access-lists that might prevent traffic?

I guess the easiest way to rule out some problems would be to see the actual configuration.

Thanks for the response,

Fusion is the app they use for transcription

The user could not connect to any service on our network

If there were VPN filter rules, it would block all remote users, right?

What configuration example would you need?

thanks

We finally got to the bottom of it. We asked the remote user to take a picture of her set up and we noticed she had the Comcast router plugged into an Airport wifi router and her PC was plugged into the Airport router. So, I gather there was two gateways? We had her unplug the Airport and put her PC in the Comcast router and all was good. But we had her in the DMZ without her Windows firewall on. Then we took her out of the DMZ. Although she was able to connect remotely and get to anything on our network, we still couldn't ping her as soon as we took her out of the DMZ. Which is ok.

Thanks, Pat.