[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

CISCO VPN, Remote Desktop not working, New router installed!!!

Posted on 2007-07-20
15
Medium Priority
?
1,755 Views
Last Modified: 2013-11-21
Ok here is the deal, I will keep this as simple as possible.

We are using the cisco VPN client (4.8.00), to connect to a server hosted in a datacenter, once connected to the VPN client we use RDP to connect to the server.

This works fine from everywhere and for everyone except for ONE location. This ONE location just had a new router installed (3com 5012), the CISCO VPN client connects but the remote desktop will not connect. Just get the usual time out.

So in my mind this obviously points to the router, as everything is fine from everywhere else and was at that location UNTIL this router was replaced.

What needs to be enabled on that router to make this work????

Thanks in advance.
0
Comment
Question by:exactitsolutions
  • 3
  • 3
  • 2
  • +5
13 Comments
 

Expert Comment

by:cocoged
ID: 19529685
I would make sure that TCP port 3389 is open on the router
0
 

Author Comment

by:exactitsolutions
ID: 19529715
Its open, I can connect anywhere else in the network.

Forgot to mention I can't even ping the target server (server I want to remote desktop to) when connected via the CISCO VPN client.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19530171
Is there a chance that your Cisco VPN (Host site) is configured with Access Control Lists) allowing connections only from specific public IP's and/or subnets? Has changing the router changed either of those, the public IP or more likely local LAN subnet, at the client site?
Or, if the local LAN subnet at the client site has changed, make sure it has not become the same subnet as the host site. VPN's must have different subnets at either end, or you will experience issues as you have described, a connection, but no communication.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 19530184
Does this new router support IPSEC Passthrough? Some routers have it as an option that is disabled by default. Some have it enabled by default. Is the VPN End device (PIX, VPN3000) setup to allow nat-traversal?
0
 
LVL 8

Expert Comment

by:Bird Dog
ID: 19530423
check for any firmware upgrades for your router
0
 
LVL 6

Expert Comment

by:netnounours
ID: 19532575
Hi,
Can you ping that 3 com router from VPN client ?
if not, check the 3com routing table. I should have a route to reach the server and one back to the VPN client. (you may just miss a static route).
I hope that helps
0
 
LVL 2

Accepted Solution

by:
mark_seymour earned 1000 total points
ID: 19532709
The 3com 5012 is listed as having VPN pass-through, normally this feature is on by default but you may want to check through the console to be double sure.

The first silly question has to be:  Both sites are on different subnets? If they are the same you will have trouble routing traffic.

If this is not the case try editing the connection in the Cisco client and make sure under transport that IPSEC over UDP is selected. If this doesn;t work try switching to IPSec over TCP and picking a port number (not the RDP port of course). You will then need to make sure your router forwards this port to the PC using the client.


Hope this helps!
0
 

Expert Comment

by:hjm3857
ID: 19536765
You might want to upgrade your VPN client (5.x isout). Also make sure that windows firewall is not running on the client. In the cisco client there is a setting that will alow detailed logging. I have seen several cases where the cisco client looks like it is connected, but no data passes. In some it was what was mentioned above with the subnets being the same on both sides. That can be overcome by not enabling split tunnel for the VPN profile. I have also seen it when the client has a software firewall running on the client workstation. Lastly I have also seen it when the devices between the client and the VPN termination device are performing NAT and they do not support IPSEC passthru. In that case you may (or may not) be able to make it work with config changes on the equipment. I do not know much about 3com, so I cannot offer any ideas there.

good luck
0
 

Author Comment

by:exactitsolutions
ID: 19543429
Thank you all for the responses.

It seems mark_seymour hit it on the head.

Both are on the same subnets, so know I know why... But how can I fix?? Static Route?
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19543433
Or possibly as stated; "Or, if the local LAN subnet at the client site has changed, make sure it has not become the same subnet as the host site. VPN's must have different subnets at either end, or you will experience issues as you have described, a connection, but no communication."
0
 

Author Comment

by:exactitsolutions
ID: 19543539
can't change the subnet at either site unfortunately, is there any possible way around this?
and yes have the connection, but zero communication...
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 1000 total points
ID: 19543556
:-) my point was more you had mentioned; "mark_seymour hit it on the head" where it had been mentiod earlier.
You cannot have a VPN if the subnets are the same, that is a basic VPN rule. Packets are routed based on the subnet to which they belong. If the local and remote subnets are the same, to which network segment are the packets to be sent?
 
I am not very familiar at all with Cisco, but there have been a few questions where some folks have suggested congurations where it may work, NATing addresses. Perhaps one of the Cisco experts will have a suggestion.
0
 
LVL 2

Expert Comment

by:mark_seymour
ID: 19595052
If changing the subnet is totally out of the question on both sites then you may want to try a software alternative. We had one such situation in the past and used a product called "logmein hamachi" this created a virtual vpn between two PC's (i believe it can be used to create gateways between the networks too). Since the software gives you a virtual (non-routable) IP it works fine regardless of the machines normal IP's and isn't too costly. This proved to be a lot simpler config wise.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question