• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11479
  • Last Modified:

VPN Connection fails with 0 bytes received

I have an "interesting" transient problem with my laptops VPN connection - sometimes the VPN connection works perfectly, and other times it just doesn't work at all.

The Cisco VPN client software is version 4.8.01.0300. Operating system is Windows XP SP2.

Transport is configured with "Enable Transparent Tunnelling" and "IPSec over UDP (NAT/PAT)" selected.

When the connection fails, the client statistics window shows "Bytes Received: 0" and "Packets Decrypted: 0".

The weird thing is that the VPN can work properly for months and months, and then stop. Rebooting the system, has no effect.

This problem occurs for some other users as well, but never at the same time, and we've failed to solve the problem. Rather, it just seems to "go away", only to recur later.

At the moment, I have a partial failure. Using my mobile PC card, I can go online at 115kb/s and the VPN works well, though slowly. But, going online through my 802.11g wireless fails.

Given that things can work properly for months at a time, and that other users have flawless access while I experience this problem, I'm pretty sure the issue is local to my machine.

Through extensive googling, I found a suggestion to tune my MTU using ping to probe the connection. However, I found that both my mobile card and wireless connections maxed out at the same figure - 1272 bytes - so I'm guessing that MTU isn't the source of the problem.
0
rbnzapps
Asked:
rbnzapps
  • 8
  • 4
1 Solution
 
lrmooreCommented:
What are you connecting to? A PIX? ASA? VPN3000 concentrator? Each has some different characteristics in handling nat-traversal and may need to either be upgraded to a current version of OS or tweaked the configuration.
0
 
rbnzappsAuthor Commented:
Hi Irmoore - thanks for the comment.

I'm not sure what is handling the host end of the VPN, will enquire and find out for you.

Is it possible that a problem on the host end could be causing my problems even while working properly for most of my colleages?

To clarify - I've been experiencing this particular problem for close to eighteen months. Most of the time, my VPN connection works flawlessly, but on rare occasions it doesn't. Unfortunately, when it does fail, a simple reboot isn't enough to fix things - it tends to stay broken for a time (a week or two), and then I'll find that it works again.

What's really odd this time around is the "partial failure" situation - using my mobile PC card works flawlessly, but using normal Wireless fails completely. Weird.

Will get back with the details you asked for shortly.
0
 
rbnzappsAuthor Commented:
Hi Irmoore.

Found the answer to your question - we use a VPN3000 Concentrator.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
lrmooreCommented:
Have the administrator make sure that NAT-T is enabled on the VPn3000
0
 
rbnzappsAuthor Commented:
Thanks for the suggestion - I've asked for this to be checked. Will let you know what our Admin says.
0
 
rbnzappsAuthor Commented:
Sorry for the delay - our Admin guy has been a bit swamped. Have chased him up, hope to have the NAT-T option checked out soon.
0
 
rbnzappsAuthor Commented:
Here we go: Our Admin says that NAT-T *is* enabled on the VPN3000.
0
 
lrmooreCommented:
OK, then on  your VPN client, Transport tab,  you have several options. You'll have to try each option:
1. check [x] Enable Transparent Tunneling
    (*) IPSec over UDP
    (  ) IPSec over TCP
2. [x] Enable Transparent Tunneling
    (  ) IPSec over UDP
    (*) IPSec over TCP     TCP Port [10000  ]

3. Uncheck [  ] Enable Transparent Tunneling

It only makes sense that the NAT-T is not properly configured, and here's why:
1. You can work OK when on Mobile PC Card (Cellular?) - you may be getting a Public IP address and the cellular company does not NAT your traffic.
2. You can't work on WiFi site because WiFi usually *is* natted after you get a private IP address.
If you are behind a NAT device and VPN does not work, the only explanation is NAT-T

 
0
 
rbnzappsAuthor Commented:
Thanks, Irmoore - I'll test those configurations and post back the results.
0
 
rbnzappsAuthor Commented:
Well, did the tests, and had some strange results.

I didn't test with "IPSec over TCP" because my admin advised this wasn't configured.

Test #1: Enable Transparent Tunnelling, selected IPSec over UDP
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #2: Disable Transparent Tunnelling
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

I decided to do further testing, trying combinations of other configurable options. First, I introduced the "Stateful Firewall (Always On)" option.

Test #3: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #4: Disable Transparent Tunnelling, Stateful Firewall unchecked
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #5: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

Test #6: Disable Transparent Tunnelling, Stateful Firewall CHECKED
Result: Fail - could authenticate with VPN, but 0 bytes inbound traffic

No change, so I put everything back to how it was.

Test #7: Enable Transparent Tunnelling, selected IPSec over UDP, Stateful Firewall unchecked
Result: Worked

That's right - Worked.

I put all the settings back to *exactly* the way they were originally, and now the VPN works over Wireless.

Any ideas why things have started working?

I'm kinda concerned that we haven't actually fixed anything - it's more a case that the problem has "gone away" - and I'm worried that it might "come back" just as easily.
0
 
lrmooreCommented:
I'm afraid I can't explain that other than it seemed to have cleared something by changing and then changing back.
I have one XP machine that no matter what, I can get connected and I see exactly 1380 bytes received, no more, and cannot access anything over the VPN. This same behavior no matter which of many different end sites I connect to in any combination of the above. Every other machine I have works perfectly fine. I've done everything I know how to do. The machine is flawless otherwise. If I need to VPN anywhere I have to open up a Virtual machine and do it from there.
It is what it is and that's all that it is....
0
 
rbnzappsAuthor Commented:
Definately a case of sustained wierdness.

It seems that the Cisco VPN software is a bit brittle - when it works, it works well, but sometimes it just doesn't work.

As you said "It is what it is and that's all that it is."

I'm very pleased that my VPN is up and running - thanks very much for your help.
0
 
AnchITSupportCommented:
this fix works.  got it from another post and works great.

Funny but.. fix is from a vmware website with a fix from citrix to fix cisco.  HA.. where do i begin with what is wrong with this picture... CISCO

http://www.vmwareandme.com/2013/12/solved-windows-8-and-windows-81-cisco.html#.Uw96VvldVSc
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now