shashiaj
asked on
VPN user not behind NAT device problem
Have a problem with a Cisco VPN connection....
Using a VPN 3000 and have no issues with user connecting behind a NAT'd device (using either NAT-T or TCP 10000). The moment a user is NOT behind a NAT'd device it still connects, gets dhcp ip assignment & looks to auth, but no traffic passes. Either way IPSEC-UDP or IPSEC-TCP, nothing works other than connecting.
Whatever configs you need, let me know. Otherwise, I'd be grateful if someone had some ideas.
here's a clip from logs....
51120 03/28/2007 09:59:28.170 SEV=5 IKEDBG/64 RPT=3688 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False
51122 03/28/2007 09:59:28.490 SEV=5 IKE/172 RPT=3603 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
51126 03/28/2007 09:59:34.430 SEV=4 IKE/52 RPT=3130 207.***.***.111
Group [Corporate] User [vpnuser]
User (vpnuser) authenticated.
51127 03/28/2007 09:59:34.550 SEV=5 IKE/184 RPT=3127 207.***.***.111
Group [Corporate] User [vpnuser]
Client Type: WinNT
Client Application Version: 4.0.5 (D)
51130 03/28/2007 09:59:34.600 SEV=4 IKE/119 RPT=3401 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 1 COMPLETED
51131 03/28/2007 09:59:34.620 SEV=5 IKE/25 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Received remote Proxy Host data in ID Payload:
Address 10.6.1.11, Protocol 0, Port 0
51134 03/28/2007 09:59:34.620 SEV=5 IKE/34 RPT=3613 207.***.***.111
Group [Corporate] User [vpnuser]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
51137 03/28/2007 09:59:34.620 SEV=5 IKE/66 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
IKE Remote Peer configured for SA: ESP-3DES-MD5
51138 03/28/2007 09:59:34.620 SEV=5 IKE/75 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
51140 03/28/2007 09:59:34.680 SEV=4 IKE/49 RPT=4505 207.***.***.111
Group [Corporate] User [vpnuser]
Security negotiation complete for User (vpnuser)
Responder, Inbound SPI = 0x604c0c8e, Outbound SPI = 0xc49bffe4
51143 03/28/2007 09:59:34.690 SEV=4 IKE/120 RPT=4576 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 2 COMPLETED (msgid=cb15ba86)
51146 03/28/2007 10:08:49.220 SEV=5 IKEDBG/64 RPT=3689 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False
51148 03/28/2007 10:08:49.560 SEV=5 IKE/172 RPT=3604 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
51152 03/28/2007 10:08:49.570 SEV=5 IKE/194 RPT=3479 207.***.***.111
Group [Corporate] User [vpnuser]
Sending IKE Delete With Reason message: No Reason Provided.
51154 03/28/2007 10:08:49.570 SEV=4 AUTH/28 RPT=3103 207.***.***.111
User [vpnuser] Group [Corporate] disconnected:
Session Type: IPSec/UDP
Duration: 0:09:14
Bytes xmt: 0
Bytes rcv: 0
Reason: User Requested
Using a VPN 3000 and have no issues with user connecting behind a NAT'd device (using either NAT-T or TCP 10000). The moment a user is NOT behind a NAT'd device it still connects, gets dhcp ip assignment & looks to auth, but no traffic passes. Either way IPSEC-UDP or IPSEC-TCP, nothing works other than connecting.
Whatever configs you need, let me know. Otherwise, I'd be grateful if someone had some ideas.
here's a clip from logs....
51120 03/28/2007 09:59:28.170 SEV=5 IKEDBG/64 RPT=3688 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False
51122 03/28/2007 09:59:28.490 SEV=5 IKE/172 RPT=3603 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
51126 03/28/2007 09:59:34.430 SEV=4 IKE/52 RPT=3130 207.***.***.111
Group [Corporate] User [vpnuser]
User (vpnuser) authenticated.
51127 03/28/2007 09:59:34.550 SEV=5 IKE/184 RPT=3127 207.***.***.111
Group [Corporate] User [vpnuser]
Client Type: WinNT
Client Application Version: 4.0.5 (D)
51130 03/28/2007 09:59:34.600 SEV=4 IKE/119 RPT=3401 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 1 COMPLETED
51131 03/28/2007 09:59:34.620 SEV=5 IKE/25 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Received remote Proxy Host data in ID Payload:
Address 10.6.1.11, Protocol 0, Port 0
51134 03/28/2007 09:59:34.620 SEV=5 IKE/34 RPT=3613 207.***.***.111
Group [Corporate] User [vpnuser]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
51137 03/28/2007 09:59:34.620 SEV=5 IKE/66 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
IKE Remote Peer configured for SA: ESP-3DES-MD5
51138 03/28/2007 09:59:34.620 SEV=5 IKE/75 RPT=3712 207.***.***.111
Group [Corporate] User [vpnuser]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
51140 03/28/2007 09:59:34.680 SEV=4 IKE/49 RPT=4505 207.***.***.111
Group [Corporate] User [vpnuser]
Security negotiation complete for User (vpnuser)
Responder, Inbound SPI = 0x604c0c8e, Outbound SPI = 0xc49bffe4
51143 03/28/2007 09:59:34.690 SEV=4 IKE/120 RPT=4576 207.***.***.111
Group [Corporate] User [vpnuser]
PHASE 2 COMPLETED (msgid=cb15ba86)
51146 03/28/2007 10:08:49.220 SEV=5 IKEDBG/64 RPT=3689 207.***.***.111
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False
51148 03/28/2007 10:08:49.560 SEV=5 IKE/172 RPT=3604 207.***.***.111
Group [Corporate]
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end is NOT behind a NAT device
51152 03/28/2007 10:08:49.570 SEV=5 IKE/194 RPT=3479 207.***.***.111
Group [Corporate] User [vpnuser]
Sending IKE Delete With Reason message: No Reason Provided.
51154 03/28/2007 10:08:49.570 SEV=4 AUTH/28 RPT=3103 207.***.***.111
User [vpnuser] Group [Corporate] disconnected:
Session Type: IPSec/UDP
Duration: 0:09:14
Bytes xmt: 0
Bytes rcv: 0
Reason: User Requested
batry_boy
I notice that the user is using version 4.0.5 (D) of the VPN client. The first thing I would suggest is to have him upgrade to the latest 4.8 version of the client. This may fix whatever issue is there and it's fast and easy to try out...
ASKER
That was just one instance. I was able to replicate the issue locally, via a comcast circuit and it's already using 4.8. Wish that was the case, but tried that already..... :(
ASKER
Another notable, the concentrator is running parallel to the pix. It's not inline.
Try this test...while the VPN client is connected, go to the VPN Concentrator web GUI and go to Monitoring-Sessions and look at the TX Bytes and RX Bytes for that VPN client session. Note the IP address assigned to that client and then ping that IP address. Do the TX Bytes and/or RX Bytes increase?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.