Cisco VPN Troubles Software to Concentrator

Posted on 2005-03-08
Medium Priority
Last Modified: 2010-04-17
Our company has been using a Cisco VPN Concentator for quite a while and really like how well it works and the improvment of the traffic speeds through the device, but as we are using it more, we are running into issues.  Our laptop users are required to build a tunnel before they are capable of surfing the web or really doing anything, as we route their DNS through our internal DNS server.  This is so we can control what they are doing and push updates down to them through SMS or other utilities.  
The problem we are having is that in some places they can not connect through the VPN.  We have against LDAP to Windows 2003 AD before they connect.  When they are in one of these locations, they recieved the login prompt, they type their username and password, then it show them connected.  The problem is it never passes traffic.  
I have taken some very detailed logs and the logs show absolutly no problems.  All phases pass right and keys are excahanged.  Everything happens as normal.  It just will not pass traffic.  I was thinking that maybe it is becouse these places block IPSEC in their gateway, but I need to make sure becouse this is happenning in many places including airports and hotels.  
I have been able to personally visit one of these places and test the VPN.  Interesting enough, the airports uses the exact same private subnet range that we do, so the client is sitting on for his VPN IP address and the WLAN Ip address from the airport is  I don't know if the machine gets confused on to where to route traffic at that point or what, but we need to try to come up wit something.
Question by:GreatWhiteOne
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 13487650
If the clients are setup to use split-tunneling then there could be a problem with the computer thinking that the VPN interface/gateway is on their local network. Make sure that the option for split-tunneling is disabled on the client.

Author Comment

ID: 13489643
That was part of the idea I had, but when it comes to the Easy VPN Client, I do not believe there is a way to diable the split tunnel on the client side.  It is on there concentrator side and the clients are pulling their configurations from there.  Can anyone address this?

Daniel Wier
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 13494658
Have you enabled nat-transparency? And UDP?
If they are in a location behind a NAT device, both that NAT device and your concentrator need to support nat-transparency.

Be sure to enable Nat-T

Expert Comment

ID: 13500182
Set up another client group using a different ip pool.

Not a pretty solution, but when a user tries the first and the packets can't get thru the tunnel, they will know to try the second group, get a different address, and see what happens.

At least you'll know whether the problem is related to the IP address given out by the concentrator.

2 cents, anyway

Author Comment

ID: 13567068
I went back in and sure enough I missed the Nat-T setup.  I don't know how, but I did.  Oh well, I will give you the points for it.  Thanks for making me check my config.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question