Solved

Cisco vpn clients over adsl can't gain access to LAN...

Posted on 2004-10-04
7
2,016 Views
Last Modified: 2010-04-12
Hi Experts!

I have a really strange problem going on at the moment... I have a Cisco 1751 router set up for adsl internet access/vpn server. Road warriors access email etc using the Cisco VPN client on they're home P.C's/Laptops. When using a 56k analogue modem to access the company LAN the vpn clients work fine. But anyone who has ADSL at home can't get in via the client. Nothing happens.. the client just times out after a while. Any ideas what might be causing this?? I know Cisco IOS but I'm still getting my head around the VPN's at the moment. Getting there bit by bit... Need to get this one sorted so it's worth 500 points.

Could it be a NAT issue? What you think guys?

Many thanks in advance. :)
0
Comment
Question by:needsy
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12222455
If they use the client, there is a SetMTU utility that comes with it. Use that utility to set the MTU to 1300
DSL (pppoe) has an extra 8-byte overhead that can cause packet fragmentation. That breaks the IPSEC.

What OS are they using? What version Client?
If XP, have they installed SP2?
0
 
LVL 1

Author Comment

by:needsy
ID: 12236076
Tried changing the client MTU to 576,1300 and 1500 with the same result.. :(
The machine i'm testing it on is: Win2000 SP4, client version 4.0.3(C)

Here is a debug from the client. (Though it might help?)

Cisco Systems VPN Client Version 4.0.3 (C)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.0.2195

223    10:51:41.201  10/06/04  Sev=Info/4      CM/0x63100002
Begin connection process

224    10:51:41.201  10/06/04  Sev=Info/4      CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

225    10:51:41.201  10/06/04  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

226    10:51:41.201  10/06/04  Sev=Info/4      CM/0x63100024
Attempt connection with server "195.72.177.186"

227    10:51:41.202  10/06/04  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.xxx

228    10:51:41.202  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to xxx.xxx.xxx.xxx

229    10:51:41.202  10/06/04  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

230    10:51:41.266  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

231    10:51:41.918  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

232    10:51:41.926  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from xxx.xxx.xxx.xxx

233    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

234    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports DPD

235    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

236    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

237    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

238    10:51:41.926  10/06/04  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

239    10:51:41.926  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to xxx.xxx.xxx.xxx

240    10:51:41.926  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

241    10:51:41.926  10/06/04  Sev=Info/4      IKE/0x63000082
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

242    10:51:41.926  10/06/04  Sev=Info/5      IKE/0x63000071
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

243    10:51:41.926  10/06/04  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

244    10:51:51.924  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

245    10:51:51.924  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from xxx.xxx.xxx.xxx

246    10:51:51.924  10/06/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

247    10:51:51.924  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to xxx.xxx.xxx.xxx

248    10:51:51.233  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

249    10:51:05.918  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

250    10:56:04.928  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from xxx.xxx.xxx.xxx

251    10:56:04.928  10/06/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

252    10:56:04.928  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to xxx.xxx.xxx.xxx

253    10:56:04.928  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

254    10:55:24.966  10/06/04  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = xxx.xxx.xxx.xxx

255    10:55:24.966  10/06/04  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from xxx.xxx.xxx.xxx

256    10:55:24.966  10/06/04  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

257    10:55:24.966  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to xxx.xxx.xxx.xxx

258    10:56:19.132  10/06/04  Sev=Info/6      IKE/0x63000054
Sent a keepalive on the IPSec SA

259    10:56:28.686  10/06/04  Sev=Info/4      CM/0x63100006
Abort connection attempt before Phase 1 SA up

260    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

261    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=3F67DC32A4ADF6E2 R_Cookie=A6BB3CCF301F9EAF) reason = DEL_REASON_RESET_SADB

262    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to xxx.xxx.xxx.xxx

263    10:56:28.686  10/06/04  Sev=Info/4      IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=3F67DC32A4ADF6E2 R_Cookie=A6BB3CCF301F9EAF) reason = DEL_REASON_RESET_SADB

264    10:56:28.686  10/06/04  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

265    10:55:18.627  10/06/04  Sev=Info/4      IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully

266    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

267    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

268    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

269    10:54:10.567  10/06/04  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

Any ideas?? Thanks....

0
 
LVL 5

Expert Comment

by:netspec01
ID: 12237659
Look at the ADSL end.  Make sure any routers that are deployed have been set to allow "IPSEC pass thru".  This is the most common problem we have seen with broadband users connecting.

Also check for firmware upgrades on your remote routers/ADSL equipment.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12300709
The difference I can see is that dial-up clients get a real address, whereas ADSL clients are often behind NAT.
Enable NAT-T on both client and server, and you should be all set.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12346802
Any progress? Do you need more information?

0
 
LVL 1

Author Comment

by:needsy
ID: 12356086
Gonna try enabling NAT-T but not quite sure how to do that. Can you help?

Thanks....
 
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 12368362
Config example here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

You will need to enable IKE over TCP/UDP on the VPN Client as well.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now