Solved

WHY WOULD AN ISP BLOCK SPLIT-TUNNEL TRAFFIC

Posted on 2009-04-10
22
726 Views
Last Modified: 2013-12-24
Hi guys,

I will like someone to please advice me why an ISP will block split tunnel traffic on their network.

At the moment I think the isp we are using has blocked our split tunnel traffic to pass through their network, I dont know why, please kindly give me some reason.

Thanks
0
Comment
Question by:lawre1108
  • 13
  • 9
22 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24123077
To the ISP, split tunnelled traffic looks no different than traffic to the Internet when not connected to the VPN or do you mean they are blocking VPN?  Or, can you establish VPN but can't get to the Internet?  If that is the case, are you sure you are split tunneling on the VPN server.
0
 

Author Comment

by:lawre1108
ID: 24124475
Thanks JFrederick29, I dont know if the way I phrase the question is the right way, but looking at your comment, you may be right.
But let me explain why I think the problem is split tunnel issue,

The problem relate to remote site, where every other network activities are working perfectly, but we cannot access internet, when we try to access any web site it comes back with an internet explorer pop up with a message  Internet Explorer could not open the search page,

What I did next is to use proxy server on the internet explorer proxy server page.

i.e on the IE, I click on tools internet option---connection---LAN setting---click on the button that says, use a proxy server for your LAN and put the proxy address, and port 80, with this in place we can access any web site.

Just to make sure I did not miss anything in the configuration, I decided to compare the config with another site with similar working configuration, everything apart from ip address are the same.

Thanks
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24125184
Is the router/Firewall at the remote site setup properly for Internet access (NAT)? i.e. if split tunneling is setup properly, traffic may be routed outside the tunnel to the remote router but if the remote router isn't setup properly to provide Internet access, it would fail.  Check the remote device config to verify.  What router/Firewall at the remote site is it?
0
 

Author Comment

by:lawre1108
ID: 24125821
Thanks again JFrederick29, It is a 1801 router.
Below is the config and sh crypto isakmp sa for the remote site.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXXXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable password 7 xxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable none
!
!
aaa session-id common
!
!
dot11 syslog
!
!
no ip cef
!
!
ip name-server 213.42.20.20
ip name-server 172.25.1.179
ip name-server 208.67.222.222
ip name-server 172.25.1.181
ip name-server 172.25.1.145
ip inspect name FIREWALL tcp
ip inspect name FIREWALL udp
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL icmp
ip inspect name FIREWALL netshow
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL sip
ip inspect name FIREWALL skinny
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL tftp
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL http java-list 10
ip inspect name urlfilter http urlfilter
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny .youtube.com
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 secret 5 xxxxxxx
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key AEEBO06-V6nc0Rp11 address 63.218.86.66
!
!
crypto ipsec transform-set transform-APgent esp-3des esp-sha-hmac
!
crypto map APgent 1 ipsec-isakmp
 set peer 63.218.86.66
 set transform-set transform-LLEMEA
 set pfs group2
 match address 101
!
archive
 log config
  hidekeys
!
!
!
!
interface Tunnel1
 description Tun To HQ Main Link 4mb Lease line*******
 bandwidth 2000
 ip address 172.25.60.30 255.255.255.252
 ip tcp adjust-mss 1340
 delay 400
 tunnel source FastEthernet0
 tunnel destination 63.218.86.66
!
interface FastEthernet0
 +ip address 82.164.228.222 255.255.255.252
 ip access-group 160 in
 ip nat outside
 ip inspect FIREWALL in
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map APgent
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
  duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet2
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet3
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet4
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet5
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet6
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet7
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet8
 duplex full
 speed 100
 spanning-tree portfast
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
 dsl operating-mode auto
!
interface Vlan1
 ip address 172.25.172.10 255.255.255.0
 ip nat inside
 no ip virtual-reassembly
 standby 0 ip 172.25.172.1
 standby 0 priority 110
 standby 0 preempt
 standby 0 track FastEthernet0
!
router eigrp 456
 redistribute static
 network 172.25.0.0
 no auto-summary
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 82.164.228.221
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip tacacs source-interface Vlan1
!
access-list 1 permit 172.25.172.0 0.0.0.255
access-list 101 permit gre host 82.164.228.222 host 63.218.86.66
access-list 150 permit tcp any any eq 22
access-list 150 permit gre any any
access-list 150 permit esp any any
access-list 150 permit udp any any eq isakmp
access-list 150 permit udp any eq domain any
access-list 150 permit tcp any any established
access-list 150 deny   ip any any log
access-list 160 permit icmp any any
access-list 160 permit udp any any eq non500-isakmp
access-list 160 permit udp any eq non500-isakmp any
access-list 160 permit udp any any eq isakmp
access-list 160 permit tcp 172.25.172.0 0.0.0.255 any eq www
access-list 160 permit tcp 172.25.172.0 0.0.0.255 any eq 443
access-list 160 permit udp any eq isakmp any
access-list 160 permit esp any any
access-list 160 permit gre any any
access-list 160 permit icmp any any traceroute
access-list 160 deny   ip any any
dialer-list 1 protocol ip permit
snmp-server community PRUGNA RO
snmp-server community public0 RO
snmp-server community llsdc2002 RW
!
!
!
!
tacacs-server host 172.27.8.154
tacacs-server directed-request
tacacs-server key 7 XXXXXXX
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password 7 XXXXXXXX
!
end
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
82.164.228.222  63.218.86.66    QM_IDLE           2003    0 ACTIVE

Thanks
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24125937
It's the access-list (160) applied to the fa0 interface that is blocking your return Internet traffic.

Do this:

conf t
interface FastEthernet0
 ip inspect FIREWALL out
0
 

Author Comment

by:lawre1108
ID: 24126743
Thanks for the solution JFrederick29, i can now access any web site.
But the new problem am having is that i cannot download either driver or documents.
I attached the error message am getting
Thanks again for the help.

Unable-to-downloads.pdf
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24127688
Hmm, strange.  Your browser still isn't proxied is it?  If you proxy the browser, do the downloads work?
0
 

Author Comment

by:lawre1108
ID: 24127783
Yes, when i proxy the browser, downloads work, the problem only occurs when the proxy is taken out.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24129113
Okay, remove the access-list and Firewall (temporarily) and test again to see if you get the same results.  If it now works, the problem lies with the IOS firewall.

conf t
interface FastEthernet0
no ip access-group 160 in
no ip inspect FIREWALL in
no ip inspect FIREWALL out
0
 

Author Comment

by:lawre1108
ID: 24129992
Thank JFrederick29, you have been a very nice man, I appreciate your help

Removing the access-list does not cure the problem.

So I put the access-list and Firewall back on

What I noticed now is that when the proxy is taken out, and put a TICK on AUTOMATICALLY DETECT SETTING, the download is working, although very slow, because I compare the download time with my home DSL, it takes 4mb leased line about 40 minutes to download 25mb driver from Epson site, while it take my DSL at home 2 minute 36 seconds, I tested the download with some other sites, e.g. dell, downloads.com etc.
0
 

Author Comment

by:lawre1108
ID: 24129997
I forgot to mention that i tried it on the main server and also on other two PCs
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24130041
Try adding this:

conf t
int vlan1
ip tcp adjust-mss 1340
0
 

Author Comment

by:lawre1108
ID: 24130436
Thanks again, it does not make any different.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24130461
Hmm, I would plug a PC directly into the DSL router and see if you get the same results to rule out the router.  I see nothing on the router that would be causing an issue.
0
 

Author Comment

by:lawre1108
ID: 24130506
Ok, i will try that when i get to the office tomorrow, as you are aware by now, I have been working remotely from home.

Again, I appreciate all the time you devoted to this problem, I will let you know how it goes in the morning.
0
 

Author Comment

by:lawre1108
ID: 24137532
Hi JFrederick29, sorry that i am just getting back to you, it was as usual this morning running up and down.
I have connected a laptop to the router, and still the same problem.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24137660
So, you connected the laptop to the DSL router (not the Cisco router), right? and still have the same problem?  If so, that rules out the Cisco and you might want to talk to your DSL provider or try replacing the DSL router.
0
 

Author Comment

by:lawre1108
ID: 24139677
Thanks again JFrederick29, i will let you know what happen next.
0
 

Author Comment

by:lawre1108
ID: 24154468
Hi JFrederick29, please just last questions b4 i close this question and award point for your fantastic help.

If you were in my position, what questions would you ask the provider, as you know, they never accept that the problem may due to mis-configuration from there end.

Thanks again
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24156492
Is it a SOHO DSL router?  Perhaps try upgrading the firmware or replacing it for testing purposes.  It isn't running any kind of content filtering/malware/proxy is it?  Is the router managed by your ISP?  I would ask if your ISP is running any kind of application/content filtering service that could be causing this.  

I'm still leaning toward it being an MTU issue though, try this last thing on your router:

interface FastEthernet0
ip mtu 1492

interface Vlan1
ip virtual-reassembly
ip tcp adjust-mss 1452
0
 

Author Comment

by:lawre1108
ID: 24157435
Thanks again JFrederick29,
I just tried it now, it does not work.

0
 

Author Comment

by:lawre1108
ID: 24173598
Hi JFrederick29, just to let you know am still trying to convince the ISP to check at their end, i know is not going to be easy.
I believe the initial question was answer (i.e. internet connection), therefore i will award the point.

Once again, i am grateful for the way you dealt with the problem, and answer ALL questions i asked you
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now