Solved

VPN user not behind NAT device problem

Posted on 2007-03-29
7
3,795 Views
Last Modified: 2008-01-09
Have a problem with a Cisco VPN  connection....
Using a VPN 3000 and have no issues with user connecting behind a NAT'd device (using either NAT-T or TCP 10000). The moment a user is NOT behind a NAT'd device it still connects, gets dhcp ip assignment & looks to auth, but no traffic passes. Either way IPSEC-UDP or IPSEC-TCP, nothing works other than connecting.

Whatever configs you need, let me know. Otherwise, I'd be grateful if someone had some ideas.

here's a clip from logs....
51120 03/28/2007 09:59:28.170 SEV=5 IKEDBG/64 RPT=3688 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False

51122 03/28/2007 09:59:28.490 SEV=5 IKE/172 RPT=3603 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device

51126 03/28/2007 09:59:34.430 SEV=4 IKE/52 RPT=3130 207.***.***.111
Group [Corporate] User [vpnuser]
User (vpnuser) authenticated.

51127 03/28/2007 09:59:34.550 SEV=5 IKE/184 RPT=3127 207.***.***.111
Group [Corporate] User [vpnuser]
Client Type: WinNT
Client Application Version: 4.0.5 (D)

51130 03/28/2007 09:59:34.600 SEV=4 IKE/119 RPT=3401 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 1 COMPLETED

51131 03/28/2007 09:59:34.620 SEV=5 IKE/25 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Received remote Proxy Host data in ID Payload:
Address 10.6.1.11, Protocol 0, Port 0

51134 03/28/2007 09:59:34.620 SEV=5 IKE/34 RPT=3613 207.***.***.111
Group [Corporate] User [vpnuser]
Received local IP Proxy Subnet data in ID Payload:
 Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

51137 03/28/2007 09:59:34.620 SEV=5 IKE/66 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
IKE Remote Peer configured for SA: ESP-3DES-MD5

51138 03/28/2007 09:59:34.620 SEV=5 IKE/75 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds

51140 03/28/2007 09:59:34.680 SEV=4 IKE/49 RPT=4505 207.***.***.111
Group [Corporate] User [vpnuser]
Security negotiation complete for User (vpnuser)
Responder, Inbound SPI = 0x604c0c8e, Outbound SPI = 0xc49bffe4

51143 03/28/2007 09:59:34.690 SEV=4 IKE/120 RPT=4576 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 2 COMPLETED (msgid=cb15ba86)

51146 03/28/2007 10:08:49.220 SEV=5 IKEDBG/64 RPT=3689 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode:        True
Aggressive Mode:  False

51148 03/28/2007 10:08:49.560 SEV=5 IKE/172 RPT=3604 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device

51152 03/28/2007 10:08:49.570 SEV=5 IKE/194 RPT=3479 207.***.***.111
Group [Corporate] User [vpnuser]
Sending IKE Delete With Reason message: No Reason Provided.

51154 03/28/2007 10:08:49.570 SEV=4 AUTH/28 RPT=3103 207.***.***.111
User [vpnuser] Group [Corporate] disconnected:
 Session Type: IPSec/UDP
 Duration: 0:09:14
 Bytes xmt: 0
 Bytes rcv: 0
 Reason: User Requested
0
Comment
Question by:shashiaj
  • 3
  • 2
7 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 18819763
I notice that the user is using version 4.0.5 (D) of the VPN client.  The first thing I would suggest is to have him upgrade to the latest 4.8 version of the client.  This may fix whatever issue is there and it's fast and easy to try out...
0
 

Author Comment

by:shashiaj
ID: 18819920
That was just one instance. I was able to replicate the issue locally, via a comcast circuit and it's already using 4.8. Wish that was the case, but tried that already..... :(
0
 

Author Comment

by:shashiaj
ID: 18820032
Another notable, the concentrator is running parallel to the pix. It's not inline.
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 18821044
Try this test...while the VPN client is connected, go to the VPN Concentrator web GUI and go to Monitoring-Sessions and look at the TX Bytes and RX Bytes for that VPN client session.  Note the IP address assigned to that client and then ping that IP address.  Do the TX Bytes and/or RX Bytes increase?
0
 

Accepted Solution

by:
shashiaj earned 0 total points
ID: 18823813
Did that as well. No information changes. But, on another note....
I found a workaround for it.
1. created & in/out filter for udp 10000
2. assigned it to the public interface
3. removed the "inherit" for IPSEC/UDP in the client config. But, it's still selected, just not inherited.

Of course, another site that I work with doesn't have to do that, so I opened a TAC case and apparently it got the bees buzzing and the dev team is looking at it. I was able to walk them through the scenario and they were able to replicate the issue. They agreed with my workaround, for what that's worth. So, I guess there's a bug they're looking at.... If I get more on it, which I doubt I'll get from them, I'll add it here.

Thanks for the input batry_boy.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now