Solved

VPN Connection fails with 0 bytes received

Posted on 2008-06-09
13
9,188 Views
Last Modified: 2014-02-27
I have an "interesting" transient problem with my laptops VPN connection - sometimes the VPN connection works perfectly, and other times it just doesn't work at all.

The Cisco VPN client software is version 4.8.01.0300. Operating system is Windows XP SP2.

Transport is configured with "Enable Transparent Tunnelling" and "IPSec over UDP (NAT/PAT)" selected.

When the connection fails, the client statistics window shows "Bytes Received: 0" and "Packets Decrypted: 0".

The weird thing is that the VPN can work properly for months and months, and then stop. Rebooting the system, has no effect.

This problem occurs for some other users as well, but never at the same time, and we've failed to solve the problem. Rather, it just seems to "go away", only to recur later.

At the moment, I have a partial failure. Using my mobile PC card, I can go online at 115kb/s and the VPN works well, though slowly. But, going online through my 802.11g wireless fails.

Given that things can work properly for months at a time, and that other users have flawless access while I experience this problem, I'm pretty sure the issue is local to my machine.

Through extensive googling, I found a suggestion to tune my MTU using ping to probe the connection. However, I found that both my mobile card and wireless connections maxed out at the same figure - 1272 bytes - so I'm guessing that MTU isn't the source of the problem.
0
Comment
Question by:rbnzapps
  • 8
  • 4
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21750501
What are you connecting to? A PIX? ASA? VPN3000 concentrator? Each has some different characteristics in handling nat-traversal and may need to either be upgraded to a current version of OS or tweaked the configuration.
0
 

Author Comment

by:rbnzapps
ID: 21755173
Hi Irmoore - thanks for the comment.

I'm not sure what is handling the host end of the VPN, will enquire and find out for you.

Is it possible that a problem on the host end could be causing my problems even while working properly for most of my colleages?

To clarify - I've been experiencing this particular problem for close to eighteen months. Most of the time, my VPN connection works flawlessly, but on rare occasions it doesn't. Unfortunately, when it does fail, a simple reboot isn't enough to fix things - it tends to stay broken for a time (a week or two), and then I'll find that it works again.

What's really odd this time around is the "partial failure" situation - using my mobile PC card works flawlessly, but using normal Wireless fails completely. Weird.

Will get back with the details you asked for shortly.
0
 

Author Comment

by:rbnzapps
ID: 21755420
Hi Irmoore.

Found the answer to your question - we use a VPN3000 Concentrator.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21759060
Have the administrator make sure that NAT-T is enabled on the VPn3000
0
 

Author Comment

by:rbnzapps
ID: 21774443
Thanks for the suggestion - I've asked for this to be checked. Will let you know what our Admin says.
0
 

Author Comment

by:rbnzapps
ID: 21798013
Sorry for the delay - our Admin guy has been a bit swamped. Have chased him up, hope to have the NAT-T option checked out soon.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:rbnzapps
ID: 21798429
Here we go: Our Admin says that NAT-T *is* enabled on the VPN3000.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21798511
OK, then on  your VPN client, Transport tab,  you have several options. You'll have to try each option:
1. check [x] Enable Transparent Tunneling
    (*) IPSec over UDP
    (  ) IPSec over TCP
2. [x] Enable Transparent Tunneling
    (  ) IPSec over UDP
    (*) IPSec over TCP     TCP Port [10000  ]

3. Uncheck [  ] Enable Transparent Tunneling

It only makes sense that the NAT-T is not properly configured, and here's why:
1. You can work OK when on Mobile PC Card (Cellular?) - you may be getting a Public IP address and the cellular company does not NAT your traffic.
2. You can't work on WiFi site because WiFi usually *is* natted after you get a private IP address.
If you are behind a NAT device and VPN does not work, the only explanation is NAT-T

 
0
 

Author Comment

by:rbnzapps
ID: 21799116
Thanks, Irmoore - I'll test those configurations and post back the results.
0
 

Author Comment

by:rbnzapps
ID: 21807757
Well, did the tests, and had some strange results.

I didn't test with "IPSec over TCP" because my admin advised this wasn't configured.

Test #1: Enable Transparent Tunnelling, selected IPSec over UDP
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #2: Disable Transparent Tunnelling
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

I decided to do further testing, trying combinations of other configurable options. First, I introduced the "Stateful Firewall (Always On)" option.

Test #3: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #4: Disable Transparent Tunnelling, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #5: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #6: Disable Transparent Tunnelling, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

No change, so I put everything back to how it was.

Test #7: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Worked

That's right - Worked.

I put all the settings back to *exactly* the way they were originally, and now the VPN works over Wireless.

Any ideas why things have started working?

I'm kinda concerned that we haven't actually fixed anything - it's more a case that the problem has "gone away" - and I'm worried that it might "come back" just as easily.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21812515
I'm afraid I can't explain that other than it seemed to have cleared something by changing and then changing back.
I have one XP machine that no matter what, I can get connected and I see exactly 1380 bytes received, no more, and cannot access anything over the VPN. This same behavior no matter which of many different end sites I connect to in any combination of the above. Every other machine I have works perfectly fine. I've done everything I know how to do. The machine is flawless otherwise. If I need to VPN anywhere I have to open up a Virtual machine and do it from there.
It is what it is and that's all that it is....
0
 

Author Comment

by:rbnzapps
ID: 21816827
Definately a case of sustained wierdness.

It seems that the Cisco VPN software is a bit brittle - when it works, it works well, but sometimes it just doesn't work.

As you said "It is what it is and that's all that it is."

I'm very pleased that my VPN is up and running - thanks very much for your help.
0
 

Expert Comment

by:AnchITSupport
ID: 39892503
this fix works.  got it from another post and works great.

Funny but.. fix is from a vmware website with a fix from citrix to fix cisco.  HA.. where do i begin with what is wrong with this picture... CISCO

http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.Uw96VvldVSc
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now