Solved

VPN Connection fails with 0 bytes received

Posted on 2008-06-09
13
9,690 Views
Last Modified: 2014-02-27
I have an "interesting" transient problem with my laptops VPN connection - sometimes the VPN connection works perfectly, and other times it just doesn't work at all.

The Cisco VPN client software is version 4.8.01.0300. Operating system is Windows XP SP2.

Transport is configured with "Enable Transparent Tunnelling" and "IPSec over UDP (NAT/PAT)" selected.

When the connection fails, the client statistics window shows "Bytes Received: 0" and "Packets Decrypted: 0".

The weird thing is that the VPN can work properly for months and months, and then stop. Rebooting the system, has no effect.

This problem occurs for some other users as well, but never at the same time, and we've failed to solve the problem. Rather, it just seems to "go away", only to recur later.

At the moment, I have a partial failure. Using my mobile PC card, I can go online at 115kb/s and the VPN works well, though slowly. But, going online through my 802.11g wireless fails.

Given that things can work properly for months at a time, and that other users have flawless access while I experience this problem, I'm pretty sure the issue is local to my machine.

Through extensive googling, I found a suggestion to tune my MTU using ping to probe the connection. However, I found that both my mobile card and wireless connections maxed out at the same figure - 1272 bytes - so I'm guessing that MTU isn't the source of the problem.
0
Comment
Question by:rbnzapps
  • 8
  • 4
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21750501
What are you connecting to? A PIX? ASA? VPN3000 concentrator? Each has some different characteristics in handling nat-traversal and may need to either be upgraded to a current version of OS or tweaked the configuration.
0
 

Author Comment

by:rbnzapps
ID: 21755173
Hi Irmoore - thanks for the comment.

I'm not sure what is handling the host end of the VPN, will enquire and find out for you.

Is it possible that a problem on the host end could be causing my problems even while working properly for most of my colleages?

To clarify - I've been experiencing this particular problem for close to eighteen months. Most of the time, my VPN connection works flawlessly, but on rare occasions it doesn't. Unfortunately, when it does fail, a simple reboot isn't enough to fix things - it tends to stay broken for a time (a week or two), and then I'll find that it works again.

What's really odd this time around is the "partial failure" situation - using my mobile PC card works flawlessly, but using normal Wireless fails completely. Weird.

Will get back with the details you asked for shortly.
0
 

Author Comment

by:rbnzapps
ID: 21755420
Hi Irmoore.

Found the answer to your question - we use a VPN3000 Concentrator.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 79

Expert Comment

by:lrmoore
ID: 21759060
Have the administrator make sure that NAT-T is enabled on the VPn3000
0
 

Author Comment

by:rbnzapps
ID: 21774443
Thanks for the suggestion - I've asked for this to be checked. Will let you know what our Admin says.
0
 

Author Comment

by:rbnzapps
ID: 21798013
Sorry for the delay - our Admin guy has been a bit swamped. Have chased him up, hope to have the NAT-T option checked out soon.
0
 

Author Comment

by:rbnzapps
ID: 21798429
Here we go: Our Admin says that NAT-T *is* enabled on the VPN3000.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21798511
OK, then on  your VPN client, Transport tab,  you have several options. You'll have to try each option:
1. check [x] Enable Transparent Tunneling
    (*) IPSec over UDP
    (  ) IPSec over TCP
2. [x] Enable Transparent Tunneling
    (  ) IPSec over UDP
    (*) IPSec over TCP     TCP Port [10000  ]

3. Uncheck [  ] Enable Transparent Tunneling

It only makes sense that the NAT-T is not properly configured, and here's why:
1. You can work OK when on Mobile PC Card (Cellular?) - you may be getting a Public IP address and the cellular company does not NAT your traffic.
2. You can't work on WiFi site because WiFi usually *is* natted after you get a private IP address.
If you are behind a NAT device and VPN does not work, the only explanation is NAT-T

 
0
 

Author Comment

by:rbnzapps
ID: 21799116
Thanks, Irmoore - I'll test those configurations and post back the results.
0
 

Author Comment

by:rbnzapps
ID: 21807757
Well, did the tests, and had some strange results.

I didn't test with "IPSec over TCP" because my admin advised this wasn't configured.

Test #1: Enable Transparent Tunnelling, selected IPSec over UDP
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #2: Disable Transparent Tunnelling
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

I decided to do further testing, trying combinations of other configurable options. First, I introduced the "Stateful Firewall (Always On)" option.

Test #3: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #4: Disable Transparent Tunnelling, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #5: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #6: Disable Transparent Tunnelling, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

No change, so I put everything back to how it was.

Test #7: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Worked

That's right - Worked.

I put all the settings back to *exactly* the way they were originally, and now the VPN works over Wireless.

Any ideas why things have started working?

I'm kinda concerned that we haven't actually fixed anything - it's more a case that the problem has "gone away" - and I'm worried that it might "come back" just as easily.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21812515
I'm afraid I can't explain that other than it seemed to have cleared something by changing and then changing back.
I have one XP machine that no matter what, I can get connected and I see exactly 1380 bytes received, no more, and cannot access anything over the VPN. This same behavior no matter which of many different end sites I connect to in any combination of the above. Every other machine I have works perfectly fine. I've done everything I know how to do. The machine is flawless otherwise. If I need to VPN anywhere I have to open up a Virtual machine and do it from there.
It is what it is and that's all that it is....
0
 

Author Comment

by:rbnzapps
ID: 21816827
Definately a case of sustained wierdness.

It seems that the Cisco VPN software is a bit brittle - when it works, it works well, but sometimes it just doesn't work.

As you said "It is what it is and that's all that it is."

I'm very pleased that my VPN is up and running - thanks very much for your help.
0
 

Expert Comment

by:AnchITSupport
ID: 39892503
this fix works.  got it from another post and works great.

Funny but.. fix is from a vmware website with a fix from citrix to fix cisco.  HA.. where do i begin with what is wrong with this picture... CISCO

http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.Uw96VvldVSc
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question