We help IT Professionals succeed at work.
Get Started

Cisco VPN Client Not Passing Traffic

ITTechnology
ITTechnology asked
on
3,260 Views
Last Modified: 2012-05-05
Have a problem with a Cisco VPN client that cannot pass traffic.  The client can login and initiate the conversation fine but the vpn client is not receiving back any packets.

When I do a "packet-tracer input inside icmp {vpnclient ip address} 8 0 {valid server ip}"

I get the following:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   DCA-DR          255.255.255.128 inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

But for the life of me I can't find anything in the configuration that would cause the packet to get dropped.

Here is the relevant parts of the current config:
name 192.168.155.0 DCA-LAN
name 192.168.156.0 DCA-DR
name 192.168.157.128 DCA-VPN

object-group network DCA-LAN
 network-object DCA-LAN 255.255.255.0
object-group network DCA-DR-LAN
 network-object DCA-DR 255.255.255.128

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit ip object-group DCA-LAN object-group DCA-DR-LAN
access-list outside_access_in extended permit ip DCA-VPN 255.255.255.192 object-group DCA-DR-LAN

access-list NONAT extended permit ip object-group DCA-DR-LAN object-group DCA-LAN
access-list NONAT extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192

access-list DCA-CVPN_splitTunnelAcl extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
access-list outside_cryptomap_dyn_10 extended permit ip any DCA-VPN 255.255.255.192
access-list DR-VPN extended permit ip object-group DCA-DR-LAN object-group DCA-LAN

ip local pool DCA-VPN-POOL 192.168.157.129-192.168.157.190 mask 255.255.255.192

nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

group-policy DCA-CVPN internal
group-policy DCA-CVPN attributes
 wins-server value x.x.x.x
 dns-server value x.x.x.x
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DCA-CVPN_splitTunnelAcl
 default-domain value domain.name
username support password randomstring encrypted

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map SITELINKS 20 match address DR-VPN
crypto map SITELINKS 20 set peer z.z.z.z
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map SITELINKS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86500
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group DCA-CVPN type ipsec-ra
tunnel-group DCA-CVPN general-attributes
 address-pool DCA-VPN-POOL
 default-group-policy DCA-CVPN
tunnel-group DCA-CVPN ipsec-attributes
 pre-shared-key *
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
 pre-shared-key *

I know it is something stupid that I missed so can someone else point it out to me so I can feel like a boob and move on :-)
Comment
Watch Question
Systems Architect
CERTIFIED EXPERT
Top Expert 2008
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE