?
Solved

VPN Connection fails with 0 bytes received

Posted on 2008-06-09
13
Medium Priority
?
10,913 Views
Last Modified: 2014-02-27
I have an "interesting" transient problem with my laptops VPN connection - sometimes the VPN connection works perfectly, and other times it just doesn't work at all.

The Cisco VPN client software is version 4.8.01.0300. Operating system is Windows XP SP2.

Transport is configured with "Enable Transparent Tunnelling" and "IPSec over UDP (NAT/PAT)" selected.

When the connection fails, the client statistics window shows "Bytes Received: 0" and "Packets Decrypted: 0".

The weird thing is that the VPN can work properly for months and months, and then stop. Rebooting the system, has no effect.

This problem occurs for some other users as well, but never at the same time, and we've failed to solve the problem. Rather, it just seems to "go away", only to recur later.

At the moment, I have a partial failure. Using my mobile PC card, I can go online at 115kb/s and the VPN works well, though slowly. But, going online through my 802.11g wireless fails.

Given that things can work properly for months at a time, and that other users have flawless access while I experience this problem, I'm pretty sure the issue is local to my machine.

Through extensive googling, I found a suggestion to tune my MTU using ping to probe the connection. However, I found that both my mobile card and wireless connections maxed out at the same figure - 1272 bytes - so I'm guessing that MTU isn't the source of the problem.
0
Comment
Question by:rbnzapps
  • 8
  • 4
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21750501
What are you connecting to? A PIX? ASA? VPN3000 concentrator? Each has some different characteristics in handling nat-traversal and may need to either be upgraded to a current version of OS or tweaked the configuration.
0
 

Author Comment

by:rbnzapps
ID: 21755173
Hi Irmoore - thanks for the comment.

I'm not sure what is handling the host end of the VPN, will enquire and find out for you.

Is it possible that a problem on the host end could be causing my problems even while working properly for most of my colleages?

To clarify - I've been experiencing this particular problem for close to eighteen months. Most of the time, my VPN connection works flawlessly, but on rare occasions it doesn't. Unfortunately, when it does fail, a simple reboot isn't enough to fix things - it tends to stay broken for a time (a week or two), and then I'll find that it works again.

What's really odd this time around is the "partial failure" situation - using my mobile PC card works flawlessly, but using normal Wireless fails completely. Weird.

Will get back with the details you asked for shortly.
0
 

Author Comment

by:rbnzapps
ID: 21755420
Hi Irmoore.

Found the answer to your question - we use a VPN3000 Concentrator.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 79

Expert Comment

by:lrmoore
ID: 21759060
Have the administrator make sure that NAT-T is enabled on the VPn3000
0
 

Author Comment

by:rbnzapps
ID: 21774443
Thanks for the suggestion - I've asked for this to be checked. Will let you know what our Admin says.
0
 

Author Comment

by:rbnzapps
ID: 21798013
Sorry for the delay - our Admin guy has been a bit swamped. Have chased him up, hope to have the NAT-T option checked out soon.
0
 

Author Comment

by:rbnzapps
ID: 21798429
Here we go: Our Admin says that NAT-T *is* enabled on the VPN3000.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 21798511
OK, then on  your VPN client, Transport tab,  you have several options. You'll have to try each option:
1. check [x] Enable Transparent Tunneling
    (*) IPSec over UDP
    (  ) IPSec over TCP
2. [x] Enable Transparent Tunneling
    (  ) IPSec over UDP
    (*) IPSec over TCP     TCP Port [10000  ]

3. Uncheck [  ] Enable Transparent Tunneling

It only makes sense that the NAT-T is not properly configured, and here's why:
1. You can work OK when on Mobile PC Card (Cellular?) - you may be getting a Public IP address and the cellular company does not NAT your traffic.
2. You can't work on WiFi site because WiFi usually *is* natted after you get a private IP address.
If you are behind a NAT device and VPN does not work, the only explanation is NAT-T

 
0
 

Author Comment

by:rbnzapps
ID: 21799116
Thanks, Irmoore - I'll test those configurations and post back the results.
0
 

Author Comment

by:rbnzapps
ID: 21807757
Well, did the tests, and had some strange results.

I didn't test with "IPSec over TCP" because my admin advised this wasn't configured.

Test #1: Enable Transparent Tunnelling, selected IPSec over UDP
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #2: Disable Transparent Tunnelling
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

I decided to do further testing, trying combinations of other configurable options. First, I introduced the "Stateful Firewall (Always On)" option.

Test #3: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #4: Disable Transparent Tunnelling, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #5: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #6: Disable Transparent Tunnelling, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

No change, so I put everything back to how it was.

Test #7: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Worked

That's right - Worked.

I put all the settings back to *exactly* the way they were originally, and now the VPN works over Wireless.

Any ideas why things have started working?

I'm kinda concerned that we haven't actually fixed anything - it's more a case that the problem has "gone away" - and I'm worried that it might "come back" just as easily.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21812515
I'm afraid I can't explain that other than it seemed to have cleared something by changing and then changing back.
I have one XP machine that no matter what, I can get connected and I see exactly 1380 bytes received, no more, and cannot access anything over the VPN. This same behavior no matter which of many different end sites I connect to in any combination of the above. Every other machine I have works perfectly fine. I've done everything I know how to do. The machine is flawless otherwise. If I need to VPN anywhere I have to open up a Virtual machine and do it from there.
It is what it is and that's all that it is....
0
 

Author Comment

by:rbnzapps
ID: 21816827
Definately a case of sustained wierdness.

It seems that the Cisco VPN software is a bit brittle - when it works, it works well, but sometimes it just doesn't work.

As you said "It is what it is and that's all that it is."

I'm very pleased that my VPN is up and running - thanks very much for your help.
0
 

Expert Comment

by:AnchITSupport
ID: 39892503
this fix works.  got it from another post and works great.

Funny but.. fix is from a vmware website with a fix from citrix to fix cisco.  HA.. where do i begin with what is wrong with this picture... CISCO

http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.Uw96VvldVSc
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month13 days, 15 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question