Solved

VPN Connection fails with 0 bytes received

Posted on 2008-06-09
13
9,900 Views
Last Modified: 2014-02-27
I have an "interesting" transient problem with my laptops VPN connection - sometimes the VPN connection works perfectly, and other times it just doesn't work at all.

The Cisco VPN client software is version 4.8.01.0300. Operating system is Windows XP SP2.

Transport is configured with "Enable Transparent Tunnelling" and "IPSec over UDP (NAT/PAT)" selected.

When the connection fails, the client statistics window shows "Bytes Received: 0" and "Packets Decrypted: 0".

The weird thing is that the VPN can work properly for months and months, and then stop. Rebooting the system, has no effect.

This problem occurs for some other users as well, but never at the same time, and we've failed to solve the problem. Rather, it just seems to "go away", only to recur later.

At the moment, I have a partial failure. Using my mobile PC card, I can go online at 115kb/s and the VPN works well, though slowly. But, going online through my 802.11g wireless fails.

Given that things can work properly for months at a time, and that other users have flawless access while I experience this problem, I'm pretty sure the issue is local to my machine.

Through extensive googling, I found a suggestion to tune my MTU using ping to probe the connection. However, I found that both my mobile card and wireless connections maxed out at the same figure - 1272 bytes - so I'm guessing that MTU isn't the source of the problem.
0
Comment
Question by:rbnzapps
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
13 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 21750501
What are you connecting to? A PIX? ASA? VPN3000 concentrator? Each has some different characteristics in handling nat-traversal and may need to either be upgraded to a current version of OS or tweaked the configuration.
0
 

Author Comment

by:rbnzapps
ID: 21755173
Hi Irmoore - thanks for the comment.

I'm not sure what is handling the host end of the VPN, will enquire and find out for you.

Is it possible that a problem on the host end could be causing my problems even while working properly for most of my colleages?

To clarify - I've been experiencing this particular problem for close to eighteen months. Most of the time, my VPN connection works flawlessly, but on rare occasions it doesn't. Unfortunately, when it does fail, a simple reboot isn't enough to fix things - it tends to stay broken for a time (a week or two), and then I'll find that it works again.

What's really odd this time around is the "partial failure" situation - using my mobile PC card works flawlessly, but using normal Wireless fails completely. Weird.

Will get back with the details you asked for shortly.
0
 

Author Comment

by:rbnzapps
ID: 21755420
Hi Irmoore.

Found the answer to your question - we use a VPN3000 Concentrator.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 21759060
Have the administrator make sure that NAT-T is enabled on the VPn3000
0
 

Author Comment

by:rbnzapps
ID: 21774443
Thanks for the suggestion - I've asked for this to be checked. Will let you know what our Admin says.
0
 

Author Comment

by:rbnzapps
ID: 21798013
Sorry for the delay - our Admin guy has been a bit swamped. Have chased him up, hope to have the NAT-T option checked out soon.
0
 

Author Comment

by:rbnzapps
ID: 21798429
Here we go: Our Admin says that NAT-T *is* enabled on the VPN3000.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 21798511
OK, then on  your VPN client, Transport tab,  you have several options. You'll have to try each option:
1. check [x] Enable Transparent Tunneling
    (*) IPSec over UDP
    (  ) IPSec over TCP
2. [x] Enable Transparent Tunneling
    (  ) IPSec over UDP
    (*) IPSec over TCP     TCP Port [10000  ]

3. Uncheck [  ] Enable Transparent Tunneling

It only makes sense that the NAT-T is not properly configured, and here's why:
1. You can work OK when on Mobile PC Card (Cellular?) - you may be getting a Public IP address and the cellular company does not NAT your traffic.
2. You can't work on WiFi site because WiFi usually *is* natted after you get a private IP address.
If you are behind a NAT device and VPN does not work, the only explanation is NAT-T

 
0
 

Author Comment

by:rbnzapps
ID: 21799116
Thanks, Irmoore - I'll test those configurations and post back the results.
0
 

Author Comment

by:rbnzapps
ID: 21807757
Well, did the tests, and had some strange results.

I didn't test with "IPSec over TCP" because my admin advised this wasn't configured.

Test #1: Enable Transparent Tunnelling, selected IPSec over UDP
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #2: Disable Transparent Tunnelling
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

I decided to do further testing, trying combinations of other configurable options. First, I introduced the "Stateful Firewall (Always On)" option.

Test #3: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #4: Disable Transparent Tunnelling, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #5: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #6: Disable Transparent Tunnelling, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

No change, so I put everything back to how it was.

Test #7: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Worked

That's right - Worked.

I put all the settings back to *exactly* the way they were originally, and now the VPN works over Wireless.

Any ideas why things have started working?

I'm kinda concerned that we haven't actually fixed anything - it's more a case that the problem has "gone away" - and I'm worried that it might "come back" just as easily.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 21812515
I'm afraid I can't explain that other than it seemed to have cleared something by changing and then changing back.
I have one XP machine that no matter what, I can get connected and I see exactly 1380 bytes received, no more, and cannot access anything over the VPN. This same behavior no matter which of many different end sites I connect to in any combination of the above. Every other machine I have works perfectly fine. I've done everything I know how to do. The machine is flawless otherwise. If I need to VPN anywhere I have to open up a Virtual machine and do it from there.
It is what it is and that's all that it is....
0
 

Author Comment

by:rbnzapps
ID: 21816827
Definately a case of sustained wierdness.

It seems that the Cisco VPN software is a bit brittle - when it works, it works well, but sometimes it just doesn't work.

As you said "It is what it is and that's all that it is."

I'm very pleased that my VPN is up and running - thanks very much for your help.
0
 

Expert Comment

by:AnchITSupport
ID: 39892503
this fix works.  got it from another post and works great.

Funny but.. fix is from a vmware website with a fix from citrix to fix cisco.  HA.. where do i begin with what is wrong with this picture... CISCO

http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.Uw96VvldVSc
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Failover VPN Question Sonicwall 5 72
SSL-VPN 1 86
VPN connect issues 2 54
How secure is Anywhere Access on 2012r2 Essentials server 9 62
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question