We help IT Professionals succeed at work.

CISCO VPN, Remote Desktop not working, New router installed!!!

Medium Priority
1,798 Views
Last Modified: 2013-11-21
Ok here is the deal, I will keep this as simple as possible.

We are using the cisco VPN client (4.8.00), to connect to a server hosted in a datacenter, once connected to the VPN client we use RDP to connect to the server.

This works fine from everywhere and for everyone except for ONE location. This ONE location just had a new router installed (3com 5012), the CISCO VPN client connects but the remote desktop will not connect. Just get the usual time out.

So in my mind this obviously points to the router, as everything is fine from everywhere else and was at that location UNTIL this router was replaced.

What needs to be enabled on that router to make this work????

Thanks in advance.
Comment
Watch Question

Commented:
I would make sure that TCP port 3389 is open on the router

Author

Commented:
Its open, I can connect anywhere else in the network.

Forgot to mention I can't even ping the target server (server I want to remote desktop to) when connected via the CISCO VPN client.
CERTIFIED EXPERT
Top Expert 2013

Commented:
Is there a chance that your Cisco VPN (Host site) is configured with Access Control Lists) allowing connections only from specific public IP's and/or subnets? Has changing the router changed either of those, the public IP or more likely local LAN subnet, at the client site?
Or, if the local LAN subnet at the client site has changed, make sure it has not become the same subnet as the host site. VPN's must have different subnets at either end, or you will experience issues as you have described, a connection, but no communication.
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Does this new router support IPSEC Passthrough? Some routers have it as an option that is disabled by default. Some have it enabled by default. Is the VPN End device (PIX, VPN3000) setup to allow nat-traversal?

Commented:
check for any firmware upgrades for your router
Hi,
Can you ping that 3 com router from VPN client ?
if not, check the 3com routing table. I should have a route to reach the server and one back to the VPN client. (you may just miss a static route).
I hope that helps
The 3com 5012 is listed as having VPN pass-through, normally this feature is on by default but you may want to check through the console to be double sure.

The first silly question has to be:  Both sites are on different subnets? If they are the same you will have trouble routing traffic.

If this is not the case try editing the connection in the Cisco client and make sure under transport that IPSEC over UDP is selected. If this doesn;t work try switching to IPSec over TCP and picking a port number (not the RDP port of course). You will then need to make sure your router forwards this port to the PC using the client.


Hope this helps!

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
You might want to upgrade your VPN client (5.x isout). Also make sure that windows firewall is not running on the client. In the cisco client there is a setting that will alow detailed logging. I have seen several cases where the cisco client looks like it is connected, but no data passes. In some it was what was mentioned above with the subnets being the same on both sides. That can be overcome by not enabling split tunnel for the VPN profile. I have also seen it when the client has a software firewall running on the client workstation. Lastly I have also seen it when the devices between the client and the VPN termination device are performing NAT and they do not support IPSEC passthru. In that case you may (or may not) be able to make it work with config changes on the equipment. I do not know much about 3com, so I cannot offer any ideas there.

good luck

Author

Commented:
Thank you all for the responses.

It seems mark_seymour hit it on the head.

Both are on the same subnets, so know I know why... But how can I fix?? Static Route?
CERTIFIED EXPERT
Top Expert 2013

Commented:
Or possibly as stated; "Or, if the local LAN subnet at the client site has changed, make sure it has not become the same subnet as the host site. VPN's must have different subnets at either end, or you will experience issues as you have described, a connection, but no communication."

Author

Commented:
can't change the subnet at either site unfortunately, is there any possible way around this?
and yes have the connection, but zero communication...
CERTIFIED EXPERT
Top Expert 2013
Commented:
:-) my point was more you had mentioned; "mark_seymour hit it on the head" where it had been mentiod earlier.
You cannot have a VPN if the subnets are the same, that is a basic VPN rule. Packets are routed based on the subnet to which they belong. If the local and remote subnets are the same, to which network segment are the packets to be sent?
 
I am not very familiar at all with Cisco, but there have been a few questions where some folks have suggested congurations where it may work, NATing addresses. Perhaps one of the Cisco experts will have a suggestion.
If changing the subnet is totally out of the question on both sites then you may want to try a software alternative. We had one such situation in the past and used a product called "logmein hamachi" this created a virtual vpn between two PC's (i believe it can be used to create gateways between the networks too). Since the software gives you a virtual (non-routable) IP it works fine regardless of the machines normal IP's and isn't too costly. This proved to be a lot simpler config wise.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.