Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN - NAT-T Issue

Hey Guys,

I'm wondering if you could help me with a strange CVPN issue.  I've got clients using the Cisco VPN Client (version 5.0.07.0290), and an ASA 5520 set up as the endpoint.  99% of the time this works great, so I'm pretty confident with the config, but there is one specific user who is having a problem (although sometimes it works ok for him).  This user is connecting to the internet through a 3G dongle, and then trying to VPN in.  I can see the connection being established, RADIUS authenticating his credentials, and the tunnel being set up without issue.

No data seems to pass through the tunnel however.  Lots of packets are sent, but none are ever received back.  Looking at the VPN statistics on the client, I can see that Transparent Tunneling is inactive, so I'm presuming I've got a NAT issue somewhere.  The output of sh vpn-sessiondb remote seems to confirm this (user 1 is the problem user, user 2 works fine):

Username     : user1                  Index        : 1332

Assigned IP  : 172.17.47.191          Public IP    : xxxx

Protocol     : IKE IPsec

License      : IPsec

Encryption   : AES128 AES256          Hashing      : SHA1

Bytes Tx     : 0                      Bytes Rx     : 0

Group Policy : Tunnel-Group-1

Tunnel Group : Tunnel-Group-1

Login Time   : 06:18:57 UTC Tue Nov 22 2011

Duration     : 0h:14m:41s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

Username     : user2                  Index        : 1333

Assigned IP  : 172.17.47.168          Public IP    : xxxx

Protocol     : IKE IPsecOverNatT

License      : IPsec

Encryption   : AES128 AES256          Hashing      : SHA1

Bytes Tx     : 147061                 Bytes Rx     : 141808

Group Policy : Tunnel-Group-1

Tunnel Group : Tunnel-Group-1

Login Time   : 06:31:03 UTC Tue Nov 22 2011

Duration     : 0h:02m:35s

Inactivity   : 0h:00m:00s

NAC Result   : Unknown

VLAN Mapping : N/A                    VLAN         : none

As you can see, for the problem user, just plain IKE IPSec is negotiated, without NAT-T.  Any ideas why this would happen?  And why it would only happen on some occasions?

Thanks for any suggestions.

Everyone's tags (2)
1 REPLY

VPN - NAT-T Issue

I have seen the same issue with 3G connections - we have found that it is a driver issue between the Cisco VPN Client and the 3G USB device.

Solutions - change the 3G device for another vendor, use another VPN client (Shrew Soft works really well) change the method of VPN access, we are considering moving to AnyConnect.

HTH>

1040
Views
0
Helpful
1
Replies
CreatePlease to create content