Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client not decrypting data

I recently upgraded my remote vpn access from a VPN concentrator 3030 to an ASA 5540 (8.2.2).  For the most part the upgrade completed without trouble.  I have had a couple of instantances where remote users are able to connect but not pass traffic.  The users are prompted for a username and password (xauth).  Authentication passes, they are then prompted to accept (ok) the VPN message banner.  No data passes at this point.  From the ASA I can see data decrypting and encrypting.  From the remote client, I can see data encrypting but no data encrypts.

any ideas?

4 REPLIES
New Member

Re: VPN Client not decrypting data

correction...from the VPN client data is encrypting.  The ASA does not receive anything.  From HQ, I can send ICMP and see the traffic encrypt but the vpnclient counters do not receive.

Re: VPN Client not decrypting data

First of all, you need find out in which direction the traffic is dropping.

sending the traffic from HQ, then check encrypt/decrypt counts on both ASA and client to see which one is NOT incrementing.

sending the traffic from the client and check the count as well.

After you figureout the direction, check the following item.

1. routing

2. NAT 0

3. NAT-T

4. ACL blocking

New Member

Re: VPN Client not decrypting data

I agree with Kevin,

most of the scenario it will be the routing issue ,

1)reverse routing from  ASA deivice to BACKBONE switch  or next hop  . i

2)f you have redundat firewall between  backbone switch to ASA . check access has been provied for the source subnet ( VPN pool subnet ) towards  backbone servers ( ex)

New Member

Re: VPN Client not decrypting data

HI,

Packets are getting dropped somewhere in between.Is there any firewall blocking ESP packets?

try to enable "cry isakmp nat-t 20" on firewall

Regards,

Pradhuman

829
Views
0
Helpful
4
Replies
CreatePlease to create content