Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco VPN Troubles Software to Concentrator

Posted on 2005-03-08
5
Medium Priority
?
213 Views
Last Modified: 2010-04-17
Our company has been using a Cisco VPN Concentator for quite a while and really like how well it works and the improvment of the traffic speeds through the device, but as we are using it more, we are running into issues.  Our laptop users are required to build a tunnel before they are capable of surfing the web or really doing anything, as we route their DNS through our internal DNS server.  This is so we can control what they are doing and push updates down to them through SMS or other utilities.  
The problem we are having is that in some places they can not connect through the VPN.  We have against LDAP to Windows 2003 AD before they connect.  When they are in one of these locations, they recieved the login prompt, they type their username and password, then it show them connected.  The problem is it never passes traffic.  
I have taken some very detailed logs and the logs show absolutly no problems.  All phases pass right and keys are excahanged.  Everything happens as normal.  It just will not pass traffic.  I was thinking that maybe it is becouse these places block IPSEC in their gateway, but I need to make sure becouse this is happenning in many places including airports and hotels.  
I have been able to personally visit one of these places and test the VPN.  Interesting enough, the airports uses the exact same private subnet range that we do, so the client is sitting on 172.16.8.3/24 for his VPN IP address and the WLAN Ip address from the airport is 172.16.25.233/16.  I don't know if the machine gets confused on to where to route traffic at that point or what, but we need to try to come up wit something.
0
Comment
Question by:GreatWhiteOne
5 Comments
 
LVL 3

Expert Comment

by:Ivie
ID: 13487650
If the clients are setup to use split-tunneling then there could be a problem with the computer thinking that the VPN interface/gateway is on their local network. Make sure that the option for split-tunneling is disabled on the client.
0
 
LVL 1

Author Comment

by:GreatWhiteOne
ID: 13489643
That was part of the idea I had, but when it comes to the Easy VPN Client, I do not believe there is a way to diable the split tunnel on the client side.  It is on there concentrator side and the clients are pulling their configurations from there.  Can anyone address this?

Thanks,
Daniel Wier
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13494658
Have you enabled nat-transparency? And UDP?
If they are in a location behind a NAT device, both that NAT device and your concentrator need to support nat-transparency.

Be sure to enable Nat-T
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce2c.html#1029463
0
 
LVL 7

Expert Comment

by:minmei
ID: 13500182
Set up another client group using a different ip pool.

Not a pretty solution, but when a user tries the first and the packets can't get thru the tunnel, they will know to try the second group, get a different address, and see what happens.

At least you'll know whether the problem is related to the IP address given out by the concentrator.

2 cents, anyway
0
 
LVL 1

Author Comment

by:GreatWhiteOne
ID: 13567068
I went back in and sure enough I missed the Nat-T setup.  I don't know how, but I did.  Oh well, I will give you the points for it.  Thanks for making me check my config.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question