Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN user not behind NAT device problem

Posted on 2007-03-29
7
Medium Priority
?
4,110 Views
Last Modified: 2008-01-09
Have a problem with a Cisco VPN  connection....
Using a VPN 3000 and have no issues with user connecting behind a NAT'd device (using either NAT-T or TCP 10000). The moment a user is NOT behind a NAT'd device it still connects, gets dhcp ip assignment & looks to auth, but no traffic passes. Either way IPSEC-UDP or IPSEC-TCP, nothing works other than connecting.

Whatever configs you need, let me know. Otherwise, I'd be grateful if someone had some ideas.

here's a clip from logs....
51120 03/28/2007 09:59:28.170 SEV=5 IKEDBG/64 RPT=3688 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False

51122 03/28/2007 09:59:28.490 SEV=5 IKE/172 RPT=3603 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device

51126 03/28/2007 09:59:34.430 SEV=4 IKE/52 RPT=3130 207.***.***.111
Group [Corporate] User [vpnuser]
User (vpnuser) authenticated.

51127 03/28/2007 09:59:34.550 SEV=5 IKE/184 RPT=3127 207.***.***.111
Group [Corporate] User [vpnuser]
Client Type: WinNT
Client Application Version: 4.0.5 (D)

51130 03/28/2007 09:59:34.600 SEV=4 IKE/119 RPT=3401 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 1 COMPLETED

51131 03/28/2007 09:59:34.620 SEV=5 IKE/25 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Received remote Proxy Host data in ID Payload:
Address 10.6.1.11, Protocol 0, Port 0

51134 03/28/2007 09:59:34.620 SEV=5 IKE/34 RPT=3613 207.***.***.111
Group [Corporate] User [vpnuser]
Received local IP Proxy Subnet data in ID Payload:
 Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

51137 03/28/2007 09:59:34.620 SEV=5 IKE/66 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
IKE Remote Peer configured for SA: ESP-3DES-MD5

51138 03/28/2007 09:59:34.620 SEV=5 IKE/75 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

51140 03/28/2007 09:59:34.680 SEV=4 IKE/49 RPT=4505 207.***.***.111
Group [Corporate] User [vpnuser]
Security negotiation complete for User (vpnuser)
Responder, Inbound SPI = 0x604c0c8e, Outbound SPI = 0xc49bffe4

51143 03/28/2007 09:59:34.690 SEV=4 IKE/120 RPT=4576 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 2 COMPLETED (msgid=cb15ba86)

51146 03/28/2007 10:08:49.220 SEV=5 IKEDBG/64 RPT=3689 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False

51148 03/28/2007 10:08:49.560 SEV=5 IKE/172 RPT=3604 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device

51152 03/28/2007 10:08:49.570 SEV=5 IKE/194 RPT=3479 207.***.***.111
Group [Corporate] User [vpnuser]
Sending IKE Delete With Reason message: No Reason Provided.

51154 03/28/2007 10:08:49.570 SEV=4 AUTH/28 RPT=3103 207.***.***.111
User [vpnuser] Group [Corporate] disconnected:
 Session Type: IPSec/UDP
 Duration: 0:09:14
 Bytes xmt: 0
 Bytes rcv: 0
 Reason: User Requested
0
Comment
Question by:shashiaj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18819763
I notice that the user is using version 4.0.5 (D) of the VPN client.  The first thing I would suggest is to have him upgrade to the latest 4.8 version of the client.  This may fix whatever issue is there and it's fast and easy to try out...
0
 

Author Comment

by:shashiaj
ID: 18819920
That was just one instance. I was able to replicate the issue locally, via a comcast circuit and it's already using 4.8. Wish that was the case, but tried that already..... :(
0
 

Author Comment

by:shashiaj
ID: 18820032
Another notable, the concentrator is running parallel to the pix. It's not inline.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18821044
Try this test...while the VPN client is connected, go to the VPN Concentrator web GUI and go to Monitoring-Sessions and look at the TX Bytes and RX Bytes for that VPN client session.  Note the IP address assigned to that client and then ping that IP address.  Do the TX Bytes and/or RX Bytes increase?
0
 

Accepted Solution

by:
shashiaj earned 0 total points
ID: 18823813
Did that as well. No information changes. But, on another note....
I found a workaround for it.
1. created & in/out filter for udp 10000
2. assigned it to the public interface
3. removed the "inherit" for IPSEC/UDP in the client config. But, it's still selected, just not inherited.

Of course, another site that I work with doesn't have to do that, so I opened a TAC case and apparently it got the bees buzzing and the dev team is looking at it. I was able to walk them through the scenario and they were able to replicate the issue. They agreed with my workaround, for what that's worth. So, I guess there's a bug they're looking at.... If I get more on it, which I doubt I'll get from them, I'll add it here.

Thanks for the input batry_boy.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question