[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7869
  • Last Modified:

VPN with hard wire works... VPN with wireless does not

Hi Experts!
I just took a new position at work supporting our VPN client. Since I started 3 weeks ago, I have received multiple (more than 10) calls from people who are using VPN to connect to the corporate network but do not have access network resources.
To give you the low down the configuration looks something like this:
Users are connecting via Cisco VPN Client v4.8 running on Windows XP Professional. Each user has a different laptop - all Dell except 1 IBM. All are on thier home networks, which are ALL on COMCAST cable networks, but using different routers (some Linksys, some d-link, you get the picture). The strange thing is, all people are having the same problem. If they try to VPN from home over thier wireless Comcast networks, they connect to the company and get an IP address from the corporate network, but get no connectivity to network resouces. If they VPN using a hard wired connection directly to thier router, they connect with no problem.
The strange thing about this is, if these same users who are experiencing difficulty at home go to an open network (i.e. Starbucks or Panera, or even our company wireless outernet connection) the VPN allows them to connectivity with no problem, with connectivity to network resouces.
Another weird thing about this is, I'm using Comcast Cable and have no problem at all. I use the same company configuration on my laptop and don't have a problem ~ so it's very hard for me to test why this is happening.
I have one of the users working with me to determine why this may be happening ~ she was nice enough to send me a log file along with statistics from the Cisco VPN Client. There were some weird stats ~ for example, when she is using Tunnel All, if I look under Statistics and choose the Tunnel Details tab, there are quite a number of packets encrypted, but no packets decrypted and 29,812 bytes sent, but only 259 bytes received. Moving on to the Route Details tab there should be a list of Secured Routes, yet there are none. Split Tunnel provides different statistics under packet encrypted there are 543, and decrypted 94 ~ bytes received ther are 29,248 and bytes sent is 54,178. The Secured Routes at least has the correct routing table in it.
When I look at the statistics on my system and the VPN connection is working properly, the ratio between packets encrypted/decrypted is very similar, as well as with bytes sent/received.
Has anyone seen this issue? Is there a setting I can change either on the wireless router end or VPN end to allow my users to connect to thier resources when VPN'd over Comcast wireless into the corporate network?
0
chunkyshu
Asked:
chunkyshu
1 Solution
 
pseudocyberCommented:
Have you tried dropping the MTU on the user or their wireless device?  I would try the device first, then the user's machine.  

You can futz with the registry or get Dr. TCP from DSL Reports.  http://www.dslreports.com/drtcp
0
 
chunkyshuAuthor Commented:
I have dropped the MTU's ~ to 1000, to see if that would make a difference.

So I tried another experiment this past Friday. I had ther user at my office who was having problems on her own network, bring her laptop over to my house to see if she could VPN in from my wireless network ~ which I have no problem with.
She *still* had the same issue. Yet, I was sitting next to her and was able to connect and VPN with network resources with no problem. I'm thinking it is a configuration of some sort with the laptops we are using. Maybe it's the wireless card or something along those lines.
Has anyone seen this problem?
0
 
Rob WilliamsCommented:
Very odd....
To confirm;
-users can connect from an Internet café using wireless but not at home
-users can connect wired to their home routers but not wirelessly
-one user at least cannot connect wirelessly from your site but you can

-When the users connect by wire, they are connecting to the router and not the modem directly, right ???
-When reducing the MTU do so on the local router and the PC. also you can run into different problems if you drop it too low. Try 1300 or more, rather than 1000.
-I have seen several cases were users have had problems with wireless and VPN's lately. One suggestion is a conflict between the VPN encryption and the wireless encryption. Can you try as a test, eliminating any wireless encryption, WEP, WPA, etc.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
chunkyshuAuthor Commented:
Hi RobWill...
Yes you have confirmed correctly. Strange huh? And yes, I'll try your test. I have been doing a bunch of google searching lately and I have seen a few posts where people suggest eliminating any wireless encryption. I'll test that and come back with results.
Thanks for the tip... please stay tuned.
-Christie
0
 
Rob WilliamsCommented:
>>"please stay tuned"
Will do, let us know how you make out.
--Rob
0
 
chunkyshuAuthor Commented:
As I didn't have the opportunity to have one of my users test the encryption theory, I did do a little searching around on my own in the logs. I noticed something strange. In the logs that are sent to me that have a connection with no access to resources ~ each log has an entry that says "Virtual Adapter is Disabled" on line 18 ~ then on line 103 it's enabled again. Also the Metric is 25 where as those who connect have a metric of 20. Notice here in the logs:

17     22:22:19.382  05/31/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.116       25
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    192.168.1.0     255.255.255.0     192.168.1.116     192.168.1.116       25
  192.168.1.116   255.255.255.255         127.0.0.1         127.0.0.1       25
  192.168.1.255   255.255.255.255     192.168.1.116     192.168.1.116       25
      224.0.0.0         240.0.0.0     192.168.1.116     192.168.1.116       25
255.255.255.255   255.255.255.255     192.168.1.116           0.0.0.0        1
255.255.255.255   255.255.255.255     192.168.1.116     192.168.1.116        1


18     22:22:19.382  05/31/06  Sev=Info/4      CM/0x63100035
The Virtual Adapter was disabled

19     22:22:19.382  05/31/06  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=FC81CD8AA4E747FF R_Cookie=1CC315D1B3B19AF9) reason = DEL_REASON_RESET_SADB

20     22:22:19.382  05/31/06  Sev=Info/4      CM/0x63100013
Phase 1 SA deleted cause by DEL_REASON_RESET_SADB.  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

21     22:22:19.382  05/31/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

22     22:22:19.392  05/31/06  Sev=Info/6      CM/0x63100031
Tunnel to headend device 129.83.20.113 disconnected: duration: 0 days 0:8:7

23     22:22:19.492  05/31/06  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

24     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700013
Delete internal key with SPI=0x49cf257a

25     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x6370000C
Key deleted by SPI 0x49cf257a

26     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700013
Delete internal key with SPI=0x0fa7433c

27     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x6370000C
Key deleted by SPI 0x0fa7433c

28     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

29     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x6370000B
Key requested

30     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700013
Delete internal key with SPI=0x00000000

31     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

32     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

33     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped

34     22:22:19.512  05/31/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

35     22:22:19.512  05/31/06  Sev=Warning/2      IKE/0xA3000067
Received an IPC message during invalid state (IKE_MAIN:507)

36     22:22:24.549  05/31/06  Sev=Info/4      CM/0x63100002
Begin connection process

37     22:22:24.559  05/31/06  Sev=Warning/2      CVPND/0xA3400011
Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: 0xC0A80174 (DRVIFACE:1158).

38     22:22:24.569  05/31/06  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

39     22:22:24.569  05/31/06  Sev=Info/4      CM/0x63100024
Attempt connection with server "129.83.20.113"

40     22:22:24.600  05/31/06  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 129.83.20.113.

41     22:22:24.620  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 129.83.20.113

42     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 129.83.20.113

43     22:22:24.780  05/31/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?), VID(?)) from 129.83.20.113

44     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x63000001
Peer is a Cisco-Unity compliant peer

45     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x63000001
Peer supports XAUTH

46     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x63000001
Peer supports DPD

47     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x63000001
Peer supports NAT-T

48     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x63000001
Peer supports IKE fragmentation payloads

49     22:22:24.780  05/31/06  Sev=Info/5      IKE/0x63000001
Peer supports DWR Code and DWR Text

50     22:22:24.800  05/31/06  Sev=Info/6      IKE/0x63000001
IOS Vendor ID Contruction successful

51     22:22:24.800  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 129.83.20.113

52     22:22:24.800  05/31/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

53     22:22:24.800  05/31/06  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0x1194, Remote Port = 0x1194

54     22:22:24.800  05/31/06  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

55     22:22:24.800  05/31/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

56     22:22:24.840  05/31/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 129.83.20.113

57     22:22:24.840  05/31/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 129.83.20.113

58     22:22:24.840  05/31/06  Sev=Info/4      CM/0x63100015
Launch xAuth application

59     22:22:24.920  05/31/06  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

60     22:22:24.920  05/31/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

61     22:22:24.920  05/31/06  Sev=Info/6      IPSEC/0x6370002C
Sent 269 packets, 0 were fragmented.

62     22:22:24.920  05/31/06  Sev=Info/4      IPSEC/0x6370000D
Key(s) deleted by Interface (192.43.245.73)

63     22:22:34.954  05/31/06  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

64     22:22:36.627  05/31/06  Sev=Info/4      CM/0x63100017
xAuth application returned

65     22:22:36.627  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 129.83.20.113

66     22:22:38.990  05/31/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 129.83.20.113

67     22:22:38.990  05/31/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 129.83.20.113

68     22:22:38.990  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 129.83.20.113

69     22:22:38.990  05/31/06  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

70     22:22:39.050  05/31/06  Sev=Info/5      IKE/0x6300005E
Client sending a firewall request to concentrator

71     22:22:39.050  05/31/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).

72     22:22:39.050  05/31/06  Sev=Info/5      IKE/0x6300005D
Firewall Policy: Product=ZoneLabs Integrity Agent, Capability= (Client/Server).

73     22:22:39.050  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 129.83.20.113

74     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 129.83.20.113

75     22:22:40.122  05/31/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 129.83.20.113

76     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 129.83.200.30

77     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

78     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 129.83.20.47

79     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 129.83.20.100

80     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(1) (a.k.a. WINS) : , value = 129.83.25.1

81     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NBNS(2) (a.k.a. WINS) : , value = 129.83.25.3

82     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

83     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = mitre.org

84     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

85     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.7.E built by vmurphy on Mar 14 2005 11:25:43

86     22:22:40.122  05/31/06  Sev=Info/5      IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

87     22:22:40.122  05/31/06  Sev=Info/4      CM/0x63100019
Mode Config data received

88     22:22:40.142  05/31/06  Sev=Info/4      IKE/0x63000056
Received a key request from Driver: Local IP = 129.83.200.30, GW IP = 129.83.20.113, Remote IP = 0.0.0.0

89     22:22:40.142  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 129.83.20.113

90     22:22:40.142  05/31/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

91     22:22:40.182  05/31/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 129.83.20.113

92     22:22:40.182  05/31/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 129.83.20.113

93     22:22:40.182  05/31/06  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

94     22:22:40.182  05/31/06  Sev=Info/5      IKE/0x63000047
This SA has already been alive for 16 seconds, setting expiry to 86384 seconds from now

95     22:22:40.182  05/31/06  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 129.83.20.113

96     22:22:40.182  05/31/06  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK QM *(HASH, SA, NON, ID, ID, NOTIFY:STATUS_RESP_LIFETIME) from 129.83.20.113

97     22:22:40.182  05/31/06  Sev=Info/5      IKE/0x63000045
RESPONDER-LIFETIME notify has value of 28800 seconds

98     22:22:40.182  05/31/06  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH) to 129.83.20.113

99     22:22:40.182  05/31/06  Sev=Info/5      IKE/0x63000059
Loading IPsec SA (MsgID=E0C74746 OUTBOUND SPI = 0x01D89585 INBOUND SPI = 0x7A3F1995)

100    22:22:40.182  05/31/06  Sev=Info/5      IKE/0x63000025
Loaded OUTBOUND ESP SPI: 0x01D89585

101    22:22:40.182  05/31/06  Sev=Info/5      IKE/0x63000026
Loaded INBOUND ESP SPI: 0x7A3F1995

102    22:22:40.282  05/31/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.116       25
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    192.168.1.0     255.255.255.0     192.168.1.116     192.168.1.116       25
  192.168.1.116   255.255.255.255         127.0.0.1         127.0.0.1       25
  192.168.1.255   255.255.255.255     192.168.1.116     192.168.1.116       25
      224.0.0.0         240.0.0.0     192.168.1.116     192.168.1.116       25
255.255.255.255   255.255.255.255     192.168.1.116           0.0.0.0        1
255.255.255.255   255.255.255.255     192.168.1.116     192.168.1.116        1


103    22:22:40.833  05/31/06  Sev=Info/4      CM/0x63100034
The Virtual Adapter was enabled:
      IP=129.83.200.30/255.255.255.0
      DNS=129.83.20.47,129.83.20.100
      WINS=129.83.25.1,129.83.25.3
      Domain=mitre.org
      Split DNS Names=

104    22:22:40.833  05/31/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     129.83.200.30     129.83.200.30        1
        0.0.0.0           0.0.0.0       192.168.1.1     192.168.1.116       25
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
   129.83.200.0     255.255.255.0     129.83.200.30     129.83.200.30       25
  129.83.200.30   255.255.255.255         127.0.0.1         127.0.0.1       25
 129.83.255.255   255.255.255.255     129.83.200.30     129.83.200.30       25
    192.168.1.0     255.255.255.0     192.168.1.116     192.168.1.116       25
  192.168.1.116   255.255.255.255         127.0.0.1         127.0.0.1       25
  192.168.1.255   255.255.255.255     192.168.1.116     192.168.1.116       25
      224.0.0.0         240.0.0.0     129.83.200.30     129.83.200.30       25
      224.0.0.0         240.0.0.0     192.168.1.116     192.168.1.116       25
255.255.255.255   255.255.255.255     129.83.200.30           0.0.0.0        1
255.255.255.255   255.255.255.255     129.83.200.30     129.83.200.30        1
255.255.255.255   255.255.255.255     192.168.1.116     192.168.1.116        1


105    22:22:40.833  05/31/06  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      192.168.1.255
      Netmask      255.255.255.255
      Gateway      129.83.200.30
      Interface      129.83.200.30

106    22:22:40.833  05/31/06  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: 8153c81e, Gateway: 8153c81e.

107    22:22:40.863  05/31/06  Sev=Info/4      CM/0x63100038
Successfully saved route changes to file.

108    22:22:40.863  05/31/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     129.83.200.30     129.83.200.30        1
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
  129.83.20.113   255.255.255.255       192.168.1.1     192.168.1.116        1
   129.83.200.0     255.255.255.0     129.83.200.30     129.83.200.30       25
  129.83.200.30   255.255.255.255         127.0.0.1         127.0.0.1       25
 129.83.255.255   255.255.255.255     129.83.200.30     129.83.200.30       25
    192.168.1.0     255.255.255.0     192.168.1.116     192.168.1.116       25
    192.168.1.0     255.255.255.0     129.83.200.30     129.83.200.30       25
    192.168.1.1   255.255.255.255     192.168.1.116     192.168.1.116        1
  192.168.1.116   255.255.255.255         127.0.0.1         127.0.0.1       25
  192.168.1.255   255.255.255.255     192.168.1.116     192.168.1.116       25
      224.0.0.0         240.0.0.0     129.83.200.30     129.83.200.30       25
      224.0.0.0         240.0.0.0     192.168.1.116     192.168.1.116       25
255.255.255.255   255.255.255.255     129.83.200.30           0.0.0.0        1
255.255.255.255   255.255.255.255     129.83.200.30     129.83.200.30        1
255.255.255.255   255.255.255.255     192.168.1.116     192.168.1.116        1


109    22:22:40.863  05/31/06  Sev=Info/6      CM/0x63100036
The routing table was updated for the Virtual Adapter

110    22:22:40.913  05/31/06  Sev=Info/4      CM/0x6310001A
One secure connection established

111    22:22:40.973  05/31/06  Sev=Info/4      CM/0x6310003B
Address watch added for 192.168.1.116.  Current hostname: MM133203-PC, Current address(es): 129.83.200.30, 192.168.1.116.

112    22:22:40.973  05/31/06  Sev=Info/4      CM/0x6310003B
Address watch added for 129.83.200.30.  Current hostname: MM133203-PC, Current address(es): 129.83.200.30, 192.168.1.116.

113    22:22:40.973  05/31/06  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

**************

Yet the log that is created from my entry where I am connected I do not receive this problem.  I am always able to connect as well as have a much larger routing table... here is piece of my log:

69     16:12:48.200  06/05/06  Sev=Info/5      IKE/0x63000026
Loaded INBOUND ESP SPI: 0xE4E57066

70     16:12:48.280  06/05/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     128.29.99.254      128.29.99.39       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    128.29.99.0     255.255.255.0      128.29.99.39      128.29.99.39       20
   128.29.99.39   255.255.255.255         127.0.0.1         127.0.0.1       20
 128.29.255.255   255.255.255.255      128.29.99.39      128.29.99.39       20
  192.168.236.0     255.255.255.0     192.168.236.1     192.168.236.1       20
  192.168.236.1   255.255.255.255         127.0.0.1         127.0.0.1       20
192.168.236.255   255.255.255.255     192.168.236.1     192.168.236.1       20
  192.168.245.0     255.255.255.0     192.168.245.1     192.168.245.1       20
  192.168.245.1   255.255.255.255         127.0.0.1         127.0.0.1       20
192.168.245.255   255.255.255.255     192.168.245.1     192.168.245.1       20
      224.0.0.0         240.0.0.0      128.29.99.39      128.29.99.39       20
      224.0.0.0         240.0.0.0     192.168.236.1     192.168.236.1       20
      224.0.0.0         240.0.0.0     192.168.245.1     192.168.245.1       20
255.255.255.255   255.255.255.255      128.29.99.39      128.29.99.39        1
255.255.255.255   255.255.255.255     192.168.236.1     192.168.236.1        1
255.255.255.255   255.255.255.255     192.168.245.1     192.168.245.1        1


71     16:12:54.273  06/05/06  Sev=Info/4      CM/0x63100034
The Virtual Adapter was enabled:
      IP=129.83.201.39/255.255.0.0
      DNS=129.83.20.47,129.83.20.100
      WINS=129.83.25.1,129.83.25.3
      Domain=mitre.org
      Split DNS Names=

72     16:12:54.273  06/05/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     128.29.99.254      128.29.99.39       20
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
    128.29.99.0     255.255.255.0      128.29.99.39      128.29.99.39       20
   128.29.99.39   255.255.255.255         127.0.0.1         127.0.0.1       20
 128.29.255.255   255.255.255.255      128.29.99.39      128.29.99.39       20
     129.83.0.0       255.255.0.0     129.83.201.39     129.83.201.39       20
  129.83.201.39   255.255.255.255         127.0.0.1         127.0.0.1       20
 129.83.255.255   255.255.255.255     129.83.201.39     129.83.201.39       20
  192.168.236.0     255.255.255.0     192.168.236.1     192.168.236.1       20
  192.168.236.1   255.255.255.255         127.0.0.1         127.0.0.1       20
192.168.236.255   255.255.255.255     192.168.236.1     192.168.236.1       20
  192.168.245.0     255.255.255.0     192.168.245.1     192.168.245.1       20
  192.168.245.1   255.255.255.255         127.0.0.1         127.0.0.1       20
192.168.245.255   255.255.255.255     192.168.245.1     192.168.245.1       20
      224.0.0.0         240.0.0.0      128.29.99.39      128.29.99.39       20
      224.0.0.0         240.0.0.0     129.83.201.39     129.83.201.39       20
      224.0.0.0         240.0.0.0     192.168.236.1     192.168.236.1       20
      224.0.0.0         240.0.0.0     192.168.245.1     192.168.245.1       20
255.255.255.255   255.255.255.255      128.29.99.39      128.29.99.39        1
255.255.255.255   255.255.255.255     129.83.201.39     129.83.201.39        1
255.255.255.255   255.255.255.255     192.168.236.1     192.168.236.1        1
255.255.255.255   255.255.255.255     192.168.245.1     192.168.245.1        1


73     16:12:54.273  06/05/06  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      128.29.255.255
      Netmask      255.255.255.255
      Gateway      129.83.201.39
      Interface      129.83.201.39

74     16:12:54.273  06/05/06  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: 801dffff, Netmask: ffffffff, Interface: 8153c927, Gateway: 8153c927.

75     16:12:54.323  06/05/06  Sev=Info/4      CM/0x63100038
Successfully saved route changes to file.

76     16:12:54.323  06/05/06  Sev=Info/5      CVPND/0x63400013
    Destination           Netmask           Gateway         Interface   Metric
        0.0.0.0           0.0.0.0     128.29.99.254      128.29.99.39       20
   66.170.225.2   255.255.255.255     129.83.201.39     129.83.201.39        1
      127.0.0.0         255.0.0.0         127.0.0.1         127.0.0.1        1
     128.29.0.0       255.255.0.0     129.83.201.39     129.83.201.39        1
    128.29.99.0     255.255.255.0      128.29.99.39      128.29.99.39       20
    128.29.99.0     255.255.255.0     129.83.201.39     129.83.201.39       20
   128.29.99.39   255.255.255.255         127.0.0.1         127.0.0.1       20
 128.29.154.150   255.255.255.255     128.29.99.254      128.29.99.39        1
 128.29.255.255   255.255.255.255      128.29.99.39      128.29.99.39       20
     129.83.0.0       255.255.0.0     129.83.201.39     129.83.201.39        1
  129.83.20.113   255.255.255.255     128.29.99.254      128.29.99.39        1
  129.83.201.39   255.255.255.255         127.0.0.1         127.0.0.1       20
 129.83.255.255   255.255.255.255     129.83.201.39     129.83.201.39       20
     172.16.0.0       255.255.0.0     129.83.201.39     129.83.201.39        1
    192.80.55.0     255.255.255.0     129.83.201.39     129.83.201.39        1
   192.160.51.0     255.255.255.0     129.83.201.39     129.83.201.39        1
  192.168.236.0     255.255.255.0     192.168.236.1     192.168.236.1       20
  192.168.236.1   255.255.255.255         127.0.0.1         127.0.0.1       20
192.168.236.255   255.255.255.255     192.168.236.1     192.168.236.1       20
  192.168.245.0     255.255.255.0     192.168.245.1     192.168.245.1       20
  192.168.245.1   255.255.255.255         127.0.0.1         127.0.0.1       20
192.168.245.255   255.255.255.255     192.168.245.1     192.168.245.1       20
      224.0.0.0         240.0.0.0      128.29.99.39      128.29.99.39       20
      224.0.0.0         240.0.0.0     129.83.201.39     129.83.201.39       20
      224.0.0.0         240.0.0.0     192.168.236.1     192.168.236.1       20
      224.0.0.0         240.0.0.0     192.168.245.1     192.168.245.1       20
255.255.255.255   255.255.255.255      128.29.99.39      128.29.99.39        1
255.255.255.255   255.255.255.255     129.83.201.39     129.83.201.39        1
255.255.255.255   255.255.255.255     192.168.236.1     192.168.236.1        1
255.255.255.255   255.255.255.255     192.168.245.1     192.168.245.1        1


77     16:12:54.323  06/05/06  Sev=Info/6      CM/0x63100036
The routing table was updated for the Virtual Adapter

78     16:12:54.473  06/05/06  Sev=Info/4      CM/0x6310001A
One secure connection established

79     16:12:54.653  06/05/06  Sev=Info/4      CM/0x6310003B
Address watch added for 128.29.99.39.  Current hostname: MM122128-PC, Current address(es): 129.83.201.39, 128.29.99.39, 192.168.236.1, 192.168.245.1.

80     16:12:54.663  06/05/06  Sev=Info/4      CM/0x6310003B
Address watch added for 129.83.201.39.  Current hostname: MM122128-PC, Current address(es): 129.83.201.39, 128.29.99.39, 192.168.236.1, 192.168.245.1.

81     16:12:54.663  06/05/06  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

82     16:12:54.663  06/05/06  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

83     16:12:54.663  06/05/06  Sev=Info/4      IPSEC/0x6370000F
Added key with SPI=0xf3bc7f47 into key list

84     16:12:54.663  06/05/06  Sev=Info/4      IPSEC/0x63700010
Created a new key structure

85     16:12:54.663  06/05/06  Sev=Info/4      IPSEC/0x6370000F
Added key with SPI=0x6670e5e4 into key list

86     16:12:54.663  06/05/06  Sev=Info/4      IPSEC/0x6370002F
Assigned VA private interface addr 129.83.201.39

87     16:12:55.815  06/05/06  Sev=Info/4      IPSEC/0x63700019
Activate outbound key with SPI=0xf3bc7f47 for inbound key with SPI=0x6670e5e4
0
 
Rob WilliamsCommented:
pseudocyber, is far better with the "details" than I, so hopefully he will be back, but I notice two things; 1)what are all these subnets in the working connection: 128.29.99.0 ,   129.83.20.0 , 128.29.99.0 , 172.16.0.0 , 192.80.55.0 , 192.160.51.0 , 192.168.236.0 , 192.168.245.0 ? Are there static routes required for the other laptops ?  2) the working connection seems to be connecting through the virtual adapter as it should, however the non-working connection seems to be trying to connect (129.83.20.113) through the physical adapter 192.168.1.116

That is not a solution of any sort but rather an observation.
There are no other IPSec clients installed on the problematic laptops are there ?
Another test might be to disable the wired NIC in network connections and try connecting to  see if that makes a difference.
With some VPN clients you can specify the adapter through which to connect. I am not a "Cisco guy" but I don't recall seeing this as an option on the Cisco client. Is it?
0
 
chunkyshuAuthor Commented:
Ok.. so just to let you guys know what the problem is ~ it's a driver issue!

Yup, a driver issue. Dell is working on the case with Cisco and Broadcom (the driver manufacturer) to determine the problem. Currently, there are work arounds to roll back the driver to the previous version or to change some priority settings. As it stands right now, if we make the changes that were suggested, the systems work ~ but out of the box the user is able to VPN and seem to get a connection ~ but does not have access to network resources because packets are not transmitting and receiving properly.
0
 
Rob WilliamsCommented:
Really? A driver issue and it works at some locations and not others? What about all those other subnets? any chance re-installing the network adapter and drivers has cleaned that up?
Thanks for the update.
0
 
chunkyshuAuthor Commented:
I removed and reinstalled the drivers ~ that didn't change the problem. The only thing that fixed it was to roll back the driver a version or I found another work around:
Click Start
Click Settings
Click Control Panel
Click System
Click the Hardware Tab
Click Device Manager
Open up Network Adapters and double-click Dell Wireless WLAN Adapter.
Under the Advanced Tab, click VLAN Priority Support and select Disable from the drop-down menu under Value:.
Click OK.

Strange that a physical device is effecting something that is working on a completely different layer. I'm talking with Dell now to see why this is happening. I'll keep you all updated.
-Christie
0
 
Rob WilliamsCommented:
0
 
chunkyshuAuthor Commented:
That is interesting. I also just received an email from my Cisco support rep and he sent me some info regarding a closed ticket that had to do with Cisco VPN client/Dell/Broadcom:
"The Dell 1370 WLAN current driver is v 4.10.40.0. Chipset is Broadcom 43XX. Dell Support Forum indicated similar problem with 1300 WLAN and Broadcom driver 4.10. with resolution regression to driver v 3.100. I tested v 3.100 driver on the test image and Cisco VPN 4.8 client works as expected.
This appears to be a WLAN driver problem with the Broadcom 4.10 driver. Broadcom has a uniform installer across all recent WLAN chips, so the 4.10
driver may be an issue on other Broadcom based WLAN NICs. I will test on production image and see if it resolves problem.
As to who needs to fix the problem between Broadcom driver 4.10 and Cisco VPN 4.8, I will leave that with Cisco.

They later confirmed that their testing was successful."

So its an interesting dilema between the two... seems that's what the issue is though.
0
 
Rob WilliamsCommented:
There have been a lot of postings here over the past 2 months about problems with wireless and VPN's. I wonder how many may be related to this. I also wonder if it is just with the Cisco client, or IPSec in general.
You may need to publish a paper on the topic when done.  :-)
0
 
chunkyshuAuthor Commented:
Then I'll be famous! =) or at least I will be in the geek world ~ and that's fine with me.

***Question for the adminstrator ~ how should I close this question if I found out the answer on my own?
0
 
Rob WilliamsCommented:
Christie, to close the question just post a '0' point question in the community support forum, asking to close and refund points.
http://www.experts-exchange.com/Community_Support/
No problem with the closing, but would appreciate if any more input on the ultimate solution, that you post here, for my curiosity and to assist those that follow.
Good luck with it.
--Rob
0
 
chunkyshuAuthor Commented:
Thanks.. i'll wait to close it ones I hear more from Dell.. which should be next week.
0
 
Rob WilliamsCommented:
Thanks, have a great weekend !
--Rob
0
 
chunkyshuAuthor Commented:
Currently, we have determined that the solution is that the updated Dell/Broadcom driver is incompatible with Cisco VPN. There is an issue with the wireless card drivers in the system and the VPN client. The work around that was given to us by Dell os below, and are waiting for new drivers that will repair the issue. In the meantime, we have asked users to implement the work around just to get them up and running. The directions for the work around are:
 
VPN Issue Work Around:

1.      Click Start
2.      Click Settings
3.      Click Control Panel
4.      Click System
5.      Click the Hardware Tab
6.      Click Device Manager
7.      Open up Network Adapters and double-click Dell Wireless WLAN Adapter.
8.      Under the Advanced Tab, click VLAN Priority Support and select Disable from the drop-down menu under Value:.
9.      Click OK.

Anyway, hope this helps!
0
 
Rob WilliamsCommented:
Thanks Christie, excellent information to have on hand, and may be of great value to those that follow.
Good luck with it,
--Rob
0
 
TuckerPDXCommented:
I had the same problem:

Dell Latitude D610
Dell Wireless 1370 - driver v4.10.40.0
Linksys WRT54GS (with Sveasoft firmware) - I also tried my Apple Airport Express
Comcast HSI - Motorola Surfboard SB5101

It worked fine wired to the Surfboard, or directly to the Linksys, but not wireless. [Absolutely maddening]
This workaround has solved my problem until the new driver is ready. I could find the solution nowhere else on the net. Well worth the subscription.

Cheers everyone for the help! I'm now free to roam around the house again.

Tucker.
0
 
Rob WilliamsCommented:
Always nice to hear some one else has benefited from a discussion.
Welcome aboard Tucker.
--Rob
0
 
ee_ai_constructCommented:
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now