Question

Cisco VPN Client Connection Problem

Asked by: SuperiorCabinets

I have a Cisco PIX 515E and I am connecting to it with Cisco VPN Client 4.8 from one of my sites. The VPN Connection get established, howver i cannot ping any IP Address within the network. This only seems to be a problem with the one connection as I can connect and ping perfectly from my laptop. The site has other Cisco VPN Connections to connect to other locations that are working perfectly, but mine is the only site they are having trouble connecting to. What could possibly cause this connection issue?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-12-13 at 09:38:36ID23021573
Tags

cisco

,

vpn

,

client

Topics

IPSec Security Protocol

,

Cisco PIX Firewall

,

Virtual Private Networking (VPN)

Participating Experts
4
Points
250
Comments
20

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco PIX 515 VPN and internet access
    I have a cisco pix 515 connected to both the inside/outside networks and have established internet browsing as well as vpn pptp dialin. The vpn assigns an ip from my local pool, but i still cannot ping clients or servers on the inside network... Beyond the resources inside,...
  2. Setup VPN connection between PIX 506e and Cisco VPN …
    Hi, I am trying to establish a VPN connection between PIX 506e and Cisco Client 4.01 I have had little luck with various results. I ocasionally get connected but when I do the PIX stops responding to internet requests. Other times I simply cannot get connected. I used th...
  3. Establishing VPN connection between Cisco PIX 501s
    Is it possible to setup a VPN connection between two locations using two Cisco PIX 501s?
  4. Establishing a VPN Connection with Cisco Systems VPN Cli…
    Users connecting to our network over cisco vpn who try establishing a TS session receive the following error "The specified remote computer could not be found. Verify that you have typed the correct computername or ip address, and then try connecting again. The VPN Cli...
  5. Able to ping PIX VPN real IP
    I configured a PIX 506e for VPN. Users are connecting thru Cisco VPN client. The configuration is ok, however I can ping the real IP on which the VPN is established. Is this normal? If not, how to prevent this?
  6. Cannot telnet or ping Pix after establishing VPN
    I have a vpn connection set up on a Pix and am able to connect just fine; however, once I am connected to the VPN, I cannot ping or telnet into the pix from a command prompt without having to remote desktop into a computer on my network. Any ideas?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: mark-waPosted on 2007-12-13 at 10:07:26ID: 20466159

For this VPN Group, do you have a DNS entry and WINS entry in the config?

for Example:

vpngroup vpn3000 dns-server 192.168.0.1
vpngroup vpn3000 wins-server 192.168.0.1

I had this exact same problem and I added these entries (with the correct group name and ip for the dns and wins servers of course) and then I could ping

If this is not your issue, remove and re-enter your config for this vpngroup.

Mark

 

by: SuperiorCabinetsPosted on 2007-12-13 at 10:49:21ID: 20466507

I don't DNS or WINS entries because the client is only accessing by IP Address. The thing is that this is the only site that cannot ping the IP Addresses when the VPN Connection is established, all other connections work correctly.

 

by: mark-waPosted on 2007-12-13 at 11:30:42ID: 20466838

when you talk about "connections", do you have a seperate vpngroup setup for each client or does each client use the same vpngroup?  To further elaborate, if you go into the Cisco VPN Client, click your connection and click Modify, does each "connection" use the same vpngroup name and password to connect?  Or does each have their own vpngroup name and password?

 

by: SuperiorCabinetsPosted on 2007-12-13 at 11:35:18ID: 20466889

I am using one vpngroup for this site and I do get "connected". I noticed on my PIX that when they attempt to ping an internal IP, I see that I receive 4 encrypted packets, but I do not see any decrypted packets. Could encryption be an issue?

 

by: mark-waPosted on 2007-12-13 at 11:40:31ID: 20466939

Do you have "enable transparent tunneling" checked?  If so, what option below that are your using?

 

by: mark-waPosted on 2007-12-13 at 11:43:06ID: 20466960

also, I do realize that your get connected, but I am trying to verify if you use the same vpngroup and password for all of your sites.  This is important because connecting environments can be different, therefore they may need a little "tweaking" to get working.

So, you do have ICMP packets enabled on your PIX?  You are able to get ping replies on your other client connections?

 

by: SuperiorCabinetsPosted on 2007-12-13 at 11:50:06ID: 20467024

I do receive ping replies from my test machine when I connect using the same vpngroup that the remote site is using. My test machine is behind a linksys router. I don't have the "enable transparent tunneling" checked. I am thinking it could be a setting on the remote site's firewall, but I don't have access to that firewall to verify the firewall config, but the remote site is telling me that they connect to other PIX firewalls without issue using the same pc as they are using now.

 

by: neoponderPosted on 2007-12-13 at 12:30:20ID: 20467344

Let me get this striaght,
you have 2 vpn clients/PC's both using the cisco VPN client and connecting to a PIX you do not control.

One can ping, one cannot.  
On client is behind a linksys, one is not.

have you tried putting your laptop behind the linkssys to see if it pings?
Are both Cisco clients set to use the same authentication group?  
If not it sounds like they have two different groups and one is ont configured properly.


After you connect to to the cisco client and look under Status, Statistics.  

See if the routes are the same and the other settings on both clients.   I
Keep in mind that even if the are identical they could have a filter applied to ICMP at the end based on the client source address.

 

by: SuperiorCabinetsPosted on 2007-12-13 at 12:46:15ID: 20467509

Here is the situation,

I have a remote site and a local test site (my laptop). The test site is behind a linksys router and the remote site, I believe, is behind a Cisco Firewall. I do have control over the PIX at my end, which is what the VPN clients are connecting to, but I do not have control over the firewall at the remote site. I can ping anywhere in my internal network from the local test site through the VPN, but I cannot from the remote site, even though the VPN connection is being established. Both the local test site and the remote site are using the same vpngroup and and configured the same way.

I just received the route print and ipconfig info from the remote site and it looks like all the routes from the VPN are being set correctly, but still no connectivity. The remote site cannot ping my internal address or even access a web page inside the network.

 

by: SuperiorCabinetsPosted on 2007-12-13 at 12:47:26ID: 20467512

Note: Both clients are using the same configuration group.

 

by: neoponderPosted on 2007-12-13 at 13:13:13ID: 20467745

If both clients are configured the same way, I would have to state the obvious and say it is the pix on the far end, somehow blocking traffic.

It could be an MTU issue, however.   You might try setting the MTU size down using the cisco MTU sizer, and see if that works.

 

by: mark-waPosted on 2007-12-13 at 13:59:26ID: 20468105

something doesn't sound quite right...  I still don't have a completely clear picture of what's happening...

You are on a LAN behind a PIx.  The remote site is on their own LAN behind a different PIX.  You are trying to use Cisco VPN client from a pc within your LAN to connect to their PIX and gain access to their LAN.  And they are using Cisco VPN client to connect to your PIX and gain access to your LAN.  Is any of that correct?

Mark

 

by: SuperiorCabinetsPosted on 2007-12-13 at 14:28:57ID: 20468302

I am on a LAN behind a pix, but my local test site is behind a linksys router in another location. I'm not sure if the Remote site has a PIX, ASA, or just a router, I don't have any control over their hardware, but the site is telling me that there is nothing wrong on their end because they have similar connections working with other sites using the Cisco VPN Client from the same PC on their LAN. The remote site is using the Cisco VPN Client to connect to my LAN. The connection is only one way. They need access to my LAN, but I am not connecting to theirs at all.

 

by: mark-waPosted on 2007-12-13 at 14:36:33ID: 20468348

Perfect!  I get it!  Finally, right : )

Ok, could you please paste your PIX config here for us to see?  You'll probably want to muck it up a bit with the real ip addresses and such...  Thanks.

Mark

 

by: batry_boyPosted on 2007-12-13 at 16:26:54ID: 20468911

Do you have the command:

isakmp nat-traversal

in your PIX configuration?  If not, add it and see if that helps...

 

by: SuperiorCabinetsPosted on 2007-12-14 at 08:02:26ID: 20472347

I added the command:
isakmp nat-traversal
and it works perfectly.

Thanks

 

by: wsfancherPosted on 2008-01-28 at 13:44:59ID: 20763204

I have a similar problem.  I am a real neophite when it comes to CISCO as I inherited this setup.  I do know how to access the GUI to the firewall and have checked to be certain tunnelling is enabled and dns is also split enabled.  Can you assist with a translation of where the items would be in the GUI

 

by: batry_boyPosted on 2008-01-28 at 14:06:36ID: 20763369

What version of PDM/ASDM are you running?  Also, you should really open up a new question for this...

 

by: wsfancherPosted on 2008-01-28 at 15:58:44ID: 20764206

PDM is 2.0

I'm new here too so I'll abandon this and reenter a new question  I just thought that the above was important

 

by: batry_boyPosted on 2008-01-28 at 16:27:58ID: 20764343

The latest version of PDM is version 3.0(4).  The 2.0 version is VERRRRRY buggy...I would update the PIX code to version 6.3(5) and the PDM version to 3.0(4) as soon as you could.  Once you're on that version, post your question about how to do this in the PDM.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...