Solved

Unable to Connect to Website over VPN

Posted on 2009-07-07
18
884 Views
Last Modified: 2013-12-08
We have a bit of a puzzler.

We have an end user, working remotely from home, who is unable to connect to a particular website when she is on our VPN.

The user system specs are: Windows XP SP 3, IE 8. She is on Cisco VPN Client 5.0.02.0090.

She can get to the website when she is not on the VPN. We were able to get to the website over our normal network connection, and over the VPN from our corporate location.

Any suggestions? (Other than having the user access the website off of the VPN?)
0
Comment
Question by:KIP Help
  • 7
  • 5
  • 2
  • +3
18 Comments
 

Expert Comment

by:fa2lerror
ID: 24796965
I have a PIX at a few clients locations. external web access does not work when using the VPN. Sorry.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24796970
Can she ping the website by name?
Can she ping the website by IP?
Is it your web site?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24796981
"external web access does not work when using the VPN. Sorry."

What???

Split tunneling.  Easy cheesy.

Buzz.  Thanks for playing.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24797030
Depending on how the VPN is configured she may be able to get internet access just by checking the "allow local lan access" checkbox within the configuration of the VPN profile under the transport tab

Otherwise, RPPreacher is correct you'll need a split tunnel configured on the device.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24797060
The way the question is phrased ("a particular website") reads like "she can access every web site EXCEPT 1".

The first thing to determine is if this is a DNS or routing issue.

THUS

Can she ping the website by name?
Can she ping the website by IP?
Is it your web site?
0
 

Author Comment

by:KIP Help
ID: 24797098
@ fa2lerror: She is able to access other websites on the VPN, just not this particular site.

@RPPreacher: She is unable to ping the website by name or by IP. Interestingly enough, I was just speaking with her and testing the website again. Here in the office (because we can connect), we discovered that the website redirects to a secured site. The interesting part is that she cannot connect to the secured site either, however, she can ping the secured site via name and IP.

The secured site that is redirected to has an entirely different domain name than the original site.

This is a third-party site and not our corporate website.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24797114
Do you do URL filtering on the PIX?
Have you checked her PC for viruses/malware?
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24797139
Is the IP of the redirected site anything close to your VPN pool/internal IP range or any ACL on the PIX defined as "interesting traffic"?

WAIT!!!!

Does she have a pop-up blocker?  Either IE or google tool bar or some other such nonsense?  They dislike redirects.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24797158
Ah...I failed to read the entire question myself.

Does the VPN subnet have access to ports other than 80 from outside the network? Sounds like the site redirects to port 443 or some other secure port that's being blocked by the device.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:KIP Help
ID: 24797313
I'll need to pass the URL filtering question onto our network admins, I don't handle that portion. (Though if it's any help with the brain storming, we do have Websense.)

However, her PC has not been checked for viruses, nor for pop-up blockers. I'll look into that one.
0
 

Expert Comment

by:fa2lerror
ID: 24798310
I am not a Cisco admin and rely on others for my programming. all other vendors do allow "split tunnelling". the few clients that run cisco and their admins claim the firewall does not support split tunnelling thus my answer. it could be that the versions of our PIX501 and IOS are our issues and limiting this feature set. I dont really know.
again in our setups, split tunnelling is not available nor can I access remote office subnets when vpn'd into main network.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 24798317
"split tunnelling is not available"

Definitely not a limitation of the PIX nor relevant to the question though.
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 24803016
Is she getting the Websense blockpage or page cannot be displayed or what?
0
 

Author Comment

by:KIP Help
ID: 24804055
She is not getting a blocked page, but a "page cannot be displayed" error.
0
 

Accepted Solution

by:
shahyan earned 250 total points
ID: 24898283
I am having the same issue with one of my remote users who is trying to access our website over the tunnel.  The one similarity I see is that we do a redirect from  a non-secure to a secure (https) location as well.  Not sure if that is the culprit here.
0
 

Author Comment

by:KIP Help
ID: 24903359
We had the problem temporarily resolved: we flushed her DNS cache and she connected fine. However, the problem is recurring again. Is there anyway to force the PC to continually flush the DNS cache instead of doing it manually?
0
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 250 total points
ID: 24903736
that's weird.  Is it resolving differently internally than externally.  This happens sometimes with internal sites.

To answer your question, you could

(1)  Create a bat file and a scheduled task
(2)  Create a bat file and a shortcut that runs on log on
(3)  Edit the hosts file to include an entry for the problem site (so it doesn't rely on DNS)
0
 

Author Closing Comment

by:KIP Help
ID: 31624400
The issue has been resolved; the problem appeared to have something to do with her ISP assigning the same subnet and IP addresses as our VPN does. I'm not technical enough on the networking end to explain or even understand what happened, but I'm splitting the points for the suggestions and prompts along the way,.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now