mjeds
asked on
Conflicts with Cicso ASA 5510 and Linksys SRW2024
I have inherited a problem that I need some resolution on.
the company that I was just hired at has a Cisco ASA 5510 Security Appliance in place.
there are 61 users behind this device.
the switches that where in place were off the shelf (best buy, Fry's etc) Netgear 16 port unmanaged 10/100 switches.
the factory is 290,000 SQ FEET, there where 18 switches looped every 200 or so feet to get connection from front to back of building (oye!)
4 VPN users using Cisco VPN software.. all using the same login on the Cisco ASA5510.
everything works as it should..
---------
fast forward a few weeks..
my first project when I was hired 6 weeks ago was to replace the 18 switches with a Fiber Optic connection from the front to the back of the factory.. So now there are 3 Linksys SRW2024 Switches that feed the front office area and a fiber optic run to the back of the factory feeding 2 more SRW2024's.
all users are now connected at gigabit speeds and there is no more network drops or lagging..
everything internal works wonderfully, and everyone is happy..
however I was informed yesterday that the VPN is not functioning...
basically here is the issue:
users can connect to the VPN tunnel via the CIsco software and they get in, get an IP and for all intense and purpose it appears to be functioning but have no access to the network, email, SQL server etc.
now when I remove the Linksys SRW2024 Switches and go back to using the unmanaged netgear stuff the VPN functions correctly..
it appears to be some kind of conflict between the Cisco and the Linksys equipment, but for the life of me I can not figure out what.
any ideas?
the company that I was just hired at has a Cisco ASA 5510 Security Appliance in place.
there are 61 users behind this device.
the switches that where in place were off the shelf (best buy, Fry's etc) Netgear 16 port unmanaged 10/100 switches.
the factory is 290,000 SQ FEET, there where 18 switches looped every 200 or so feet to get connection from front to back of building (oye!)
4 VPN users using Cisco VPN software.. all using the same login on the Cisco ASA5510.
everything works as it should..
---------
fast forward a few weeks..
my first project when I was hired 6 weeks ago was to replace the 18 switches with a Fiber Optic connection from the front to the back of the factory.. So now there are 3 Linksys SRW2024 Switches that feed the front office area and a fiber optic run to the back of the factory feeding 2 more SRW2024's.
all users are now connected at gigabit speeds and there is no more network drops or lagging..
everything internal works wonderfully, and everyone is happy..
however I was informed yesterday that the VPN is not functioning...
basically here is the issue:
users can connect to the VPN tunnel via the CIsco software and they get in, get an IP and for all intense and purpose it appears to be functioning but have no access to the network, email, SQL server etc.
now when I remove the Linksys SRW2024 Switches and go back to using the unmanaged netgear stuff the VPN functions correctly..
it appears to be some kind of conflict between the Cisco and the Linksys equipment, but for the life of me I can not figure out what.
any ideas?
ASKER
no port security on the SRW2024 at the moment, it was just plugged in and is using default factory settings.
CISCO CONFIG:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(6)
!
hostname XXXXXXX
domain-name XXX.XXX.com
enable password VoT.w3ueNxils8fz encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 74.xxx.xxx.xxx 255.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.xxx.xxx.xxx 255.xxx.xxx.xxx
!
interface Ethernet0/2
shutdown
no nameif
no security-level
ip address dhcp setroute
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.200.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
no ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns name-server DNS.DNS.DNS.DNS
dns name-server DNS.DNS.DNS.DNS
dns name-server DNS.DNS.DNS.DNS
dns name-server DNS.DNS.DNS.DNS
access-list outside_access_in remark SMTP Connection to Exchange Server
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq smtp
access-list outside_access_in remark POP3 Connection to Exchange Server
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq pop3
access-list outside_access_in remark IMAP connection to Exchange Server
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX eq imap4
access-list outside_access_in remark Remote / Terminal Server
access-list outside_access_in remark Email / Webmail Exchange Server
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX
access-list outside_access_in remark Becky M Remote Desktop
access-list outside_access_in remark Becky M Remote Desktop
access-list outside_access_in extended permit tcp any host XXX.XXX.XXX.XXX
access-list LYNXCA_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any XXX.XXX.XXX.XXX 255.255.255.192
pager lines 24
logging enable
logging asdm informational
logging mail notifications
logging ftp-bufferwrap
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool LYNXIP 192.XXX.XXX.XXX-192.XXX.XX
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.255
static (inside,outside) XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy LYNXCA internal
group-policy LYNXCA attributes
webvpn
username mikeedwards password td9OkR9oLTz4yzX2 encrypted
username mikeedwards attributes
vpn-group-policy LYNXCA
vpn-framed-ip-address XXX.XXX.XXX.XXX 255.255.255.0
webvpn
username admin password sMH.pKVEMa9DUa9M encrypted
username admin attributes
vpn-group-policy LYNXCA
webvpn
username Lynx password DDXgeSEEmmt0JD76 encrypted
username Lynx attributes
vpn-group-policy LYNXCA
webvpn
username medwards password zJeWWqX/.7UOTvFx encrypted
username medwards attributes
vpn-group-policy LYNXCA
vpn-framed-ip-address XXX.XXX.XXX.XXX 255.255.255.0
webvpn
username mdoyle password RWwvfYKysillWUNA encrypted
username mdoyle attributes
vpn-group-policy LYNXCA
vpn-framed-ip-address XXX.XXX.XXX.XXX 255.255.255.0
webvpn
username rmorgan password LZPxDfmd62nGZ1.v encrypted
username rmorgan attributes
vpn-group-policy LYNXCA
vpn-framed-ip-address XXX.XXX.XXX.XXX 255.255.255.0
webvpn
http server enable
http 192.168.0.66 255.255.255.255 inside
http 192.168.0.0 255.255.224.0 inside
http 192.168.200.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group LYNXCA type ipsec-ra
tunnel-group LYNXCA general-attributes
default-group-policy LYNXCA
tunnel-group LYNXCA ipsec-attributes
pre-shared-key *
tunnel-group-map default-group LYNXCA
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address XXX.XXX.XXX.XXX-XXX.XXX.XX
dhcpd dns XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
dhcpd wins XXX.XXX.XXX.XXX
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain bellca.lynx
dhcpd option 4 ip XXX.XXX.XXX.XXX
dhcpd option 5 ip XXX.XXX.XXX.XXX
dhcpd option 6 ip XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX
smtp-server XXX.XXX.XXX.XXX
Cryptochecksum:3a681a3b4c4
: end
A couple of things to try...
First, you need to upgrade the ASA code...you're running a really early, aka really buggy, version of code. Upgrade to the latest version which is 7.2(3).
Second, I notice that you are statically assigning IP addresses to the VPN users...what IP addresses are they being given?
First, you need to upgrade the ASA code...you're running a really early, aka really buggy, version of code. Upgrade to the latest version which is 7.2(3).
Second, I notice that you are statically assigning IP addresses to the VPN users...what IP addresses are they being given?
ASKER
can't update the ASA device, no active contract with Cisco.. and company won't pay for one..
Static IP Addresses given are internal IP addresses.
keep in mind, the VPN setup on the Cisco works fine.. when the SRW2024 Switches are removed from the system and unmanaged dummy switches are put in place, there is no issue.
the problem lies in the connection between the ASA and the SRW2024.. most likely in the SRW2024 not in the Cisco ASA Device..
this is further evident by the fact that I removed the Cisco device and put a Linksys RV082 Firewall in place.
same issue with VPN on the Linksys RV082 the users can get to the Firewall, they get authenticated at the firewall and the VPN tunnel is created.
I can PING their VPN assigned IP address and the internal DNS server picks them up as being on the network..
but they can not access any network resources..
Static IP Addresses given are internal IP addresses.
keep in mind, the VPN setup on the Cisco works fine.. when the SRW2024 Switches are removed from the system and unmanaged dummy switches are put in place, there is no issue.
the problem lies in the connection between the ASA and the SRW2024.. most likely in the SRW2024 not in the Cisco ASA Device..
this is further evident by the fact that I removed the Cisco device and put a Linksys RV082 Firewall in place.
same issue with VPN on the Linksys RV082 the users can get to the Firewall, they get authenticated at the firewall and the VPN tunnel is created.
I can PING their VPN assigned IP address and the internal DNS server picks them up as being on the network..
but they can not access any network resources..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
no change, can connect to the Cisco, VPN tunnel is established, and the connected computer can Transmit, but receives nothing back and has no access to the internal network resources:
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 74.206.6.144
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.15/255.255.255.2
current_peer: 70.213.182.183, username: medwards
dynamic allocated peer ip: 10.10.10.15
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 108, #pkts decrypt: 108, #pkts verify: 108
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 74.206.6.144/10000, remote crypto endpt.: 70.213.182.183/10000
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 87EA5C0B
inbound esp sas:
spi: 0x4D7BB772 (1299953522)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 1, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28385
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x87EA5C0B (2280283147)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 1, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28385
IV size: 16 bytes
replay detection support: Y
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 74.206.6.144
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.15/255.255.255.2
current_peer: 70.213.182.183, username: medwards
dynamic allocated peer ip: 10.10.10.15
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 108, #pkts decrypt: 108, #pkts verify: 108
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 74.206.6.144/10000, remote crypto endpt.: 70.213.182.183/10000
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 87EA5C0B
inbound esp sas:
spi: 0x4D7BB772 (1299953522)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 1, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28385
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x87EA5C0B (2280283147)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, UDP-Encaps, }
slot: 0, conn_id: 1, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28385
IV size: 16 bytes
replay detection support: Y
One thing I just noticed is that you have the following command:
no sysopt connection permit-ipsec
Although I don't think this will fix your issue, I would enable this by typing:
sysopt connection permit-ipsec
This causes the firewall to exempt VPN protected traffic from the interface ACL's which assumes that you trust anyone that you give VPN access to.
From the ASA CLI, can you ping any devices on the internal network that you can't when you're in a VPN session?
no sysopt connection permit-ipsec
Although I don't think this will fix your issue, I would enable this by typing:
sysopt connection permit-ipsec
This causes the firewall to exempt VPN protected traffic from the interface ACL's which assumes that you trust anyone that you give VPN access to.
From the ASA CLI, can you ping any devices on the internal network that you can't when you're in a VPN session?
ASKER
from the ADSM (no console serial connection, no one knows where it is at, got to love cleaning up other peoples messes) I can ping all internal computers, and VPN sessions with 192.168.10.XXX IP addresses.
Sending 5, 100-byte ICMP Echos to 192.168.10.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Sending 5, 100-byte ICMP Echos to 192.168.10.236, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
Sending 5, 100-byte ICMP Echos to 192.168.10.202, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
Sending 5, 100-byte ICMP Echos to 192.168.10.236, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
OK, one last test before I say that it is definitley something with those SRW2024 switches...
Set up a capture on the ASA assuming the following values (substitute your real values):
10.1.1.1 = inside host you are trying to ping from a VPN session
192.168.10.1 = VPN client IP address you are pinging from
access-list traffic permit ip host 10.1.1.1 host 192.168.10.1
capture traffic_cap access-list traffic interface inside
Then, try to ping 10.1.1.1 from 192.168.10.1. After your ping attempts, issue the following command and post the output:
show capture traffic_cap
If you don't see any echo-reply traffic then the problem is definitely not the ASA, but something on the internal network, most likely the switches since that is the one thing you have been able to change out and get it to work...
Set up a capture on the ASA assuming the following values (substitute your real values):
10.1.1.1 = inside host you are trying to ping from a VPN session
192.168.10.1 = VPN client IP address you are pinging from
access-list traffic permit ip host 10.1.1.1 host 192.168.10.1
capture traffic_cap access-list traffic interface inside
Then, try to ping 10.1.1.1 from 192.168.10.1. After your ping attempts, issue the following command and post the output:
show capture traffic_cap
If you don't see any echo-reply traffic then the problem is definitely not the ASA, but something on the internal network, most likely the switches since that is the one thing you have been able to change out and get it to work...
ASKER
ping from the ASA or from CMD?
using Windows CMD
if I ping 10.10.10.15 (VPN Addy) from 192.168.10.41 (my internal ip) I get a reply
if I ping 192.168.10.41 from 10.10.10.15 (the VPN connection) I get no reply
Using ASA:
ping 10.10.10.15 from ASA
Sending 5, 100-byte ICMP Echos to 10.10.10.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 100/114/140 ms
ping 192.168.10.41 from ASA:
Sending 5, 100-byte ICMP Echos to 192.168.10.41, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Ping from CMD on the VPN client PC.
I can't tell if this is what you did, but I meant to establish a VPN session from a Windows machine on the outside of the network, and whatever IP address you receive from the ASA on this VPN client, that becomes the 192.168.10.1 address from my example above. Then try to ping an inside server or some other IP address you're having trouble pinging from a VPN session (this is the 10.1.1.1 address from my example). Does that make sense?
I can't tell if this is what you did, but I meant to establish a VPN session from a Windows machine on the outside of the network, and whatever IP address you receive from the ASA on this VPN client, that becomes the 192.168.10.1 address from my example above. Then try to ping an inside server or some other IP address you're having trouble pinging from a VPN session (this is the 10.1.1.1 address from my example). Does that make sense?
ASKER
I can not ping anything from the VPN connected client EXCEPT the ASA device.
VPN connected client IP = 10.10.10.15
I can ping 192.168.10.1 = ASA device internal IP
I can not ping anything else behind it.
VPN connected client IP = 10.10.10.15
I can ping 192.168.10.1 = ASA device internal IP
I can not ping anything else behind it.
Did you enter the capture commands above? This will be used to show if the return packets are making it back to the ASA or not...
ASKER
Result of the command: "show capture traffic_cap"
0 packet captured
0 packet shown
0 packet captured
0 packet shown
ASKER
sorry, ignore the above
Result of the command: "show capture traffic_cap"
4 packets captured
1: 12:02:11.252428 192.168.10.202 > 192.168.10.155: icmp: echo reply
2: 12:02:12.272706 192.168.10.202 > 192.168.10.155: icmp: echo reply
3: 12:02:13.273377 192.168.10.202 > 192.168.10.155: icmp: echo reply
4: 12:02:14.276322 192.168.10.202 > 192.168.10.155: icmp: echo reply
4 packets shown
Result of the command: "show capture traffic_cap"
4 packets captured
1: 12:02:11.252428 192.168.10.202 > 192.168.10.155: icmp: echo reply
2: 12:02:12.272706 192.168.10.202 > 192.168.10.155: icmp: echo reply
3: 12:02:13.273377 192.168.10.202 > 192.168.10.155: icmp: echo reply
4: 12:02:14.276322 192.168.10.202 > 192.168.10.155: icmp: echo reply
4 packets shown
ASKER
ok an update:
Default settings in the VPN client computers is to connect to VPN via IPSec over UDP (NAT/PAT)
I changed that to IPSec over TCP with a defined TCP port
also checked off the box for ALLOW LOCAL LAN ACCESS.
now I can get to internal network resources via IP address, not DNS name, in which case I suspect I need to add a PTR record in the internal DNS server for the Static IP I assigned to the VPN Client..
Default settings in the VPN client computers is to connect to VPN via IPSec over UDP (NAT/PAT)
I changed that to IPSec over TCP with a defined TCP port
also checked off the box for ALLOW LOCAL LAN ACCESS.
now I can get to internal network resources via IP address, not DNS name, in which case I suspect I need to add a PTR record in the internal DNS server for the Static IP I assigned to the VPN Client..
ASKER
yep seems like I can get to everything now, but only via IP address and now I have error on ASA:
The Cisco ASDM did not recogniz some commands while parsing the running configeration of your device. ASDM does not support the complete device command set. Commands(S) which appear below will be ignored. They willnot be removed or changed in the running device configuration.
dns-guard
The Cisco ASDM did not recogniz some commands while parsing the running configeration of your device. ASDM does not support the complete device command set. Commands(S) which appear below will be ignored. They willnot be removed or changed in the running device configuration.
dns-guard
Yeah, that's the problem with the ASDM or PDM for the PIX...for whatever reason, Cisco didn't include support for the entire command set...don't worry about it...
ASKER
yeah but the problem now is that the VPN clients can only get to network resources via IP address..
before they could get to anything by DNS name, and I named things so that they could remember them easy enough...
before they could get to anything by DNS name, and I named things so that they could remember them easy enough...
What DNS server IP address are you pushing to the clients? The posted config above doesn't show that you are pushing out any DNS server IP addresses so the VPN clients can perform name resolution.
ASKER
oops...
when I made a new group policy for the VPN users I forgot that..
all working again..
thanks for your help.. awarding points for the assistance..
Marc-
when I made a new group policy for the VPN users I forgot that..
all working again..
thanks for your help.. awarding points for the assistance..
Marc-
Good deal...glad you got it resolved!
ASKER
not the entire solution, but Batry Boy's suggestions lead me into the correct direction to resolve the issue..
thanks again..
thanks again..
Post the sanitized firewall configuration and let's have a look to see what could be causing this...