Cisco VPN Client to Cisco VPN Concentrator Packet Loss to Specific Machines

Hello All,

I am more familiar with IOS then the GUI that the 3000 series concentrators are using, which might be part of my problem.
We have a VPN concentrator on the edge of our network, with a dedicated line running to it.

The primary network used to be relying on Novell Directory Services, but it is being migrated to Active Directory.

There is a 3500 series router at the core with a stack of Cisco switches(no special ACL's on these)

When connecting using the Cisco VPN client to the network, any laptop will experience 100% packet loss to certain machines, and random loss(50%+) to the Windows DC's.

I have looked through the most of the settings on the concentrator but I have not been able to find much that would point me towards a solution.

The primary network is a 172 network, with the client vpn's being assigned a 192 network.  Both are in a /24 range.  We have the core router configured with a static route to the VPN concentrator incase this is the issue but I don't believe it should be.

Any assistance would be welcome.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By "100% packet loss to certain machines, and random loss(50%+) to the Windows DC's", do you mean even just pings show this kind of packet loss, or you are using a Sniffer and that is what you see, or the apps you try to run don't work this often, or something else? And did this same setup work fine with NDS and it's now failing with AD?

And on your infrastrucute, am i correct to assume you have a number of local LANs at your site routed with a 3500, and an internet connection of some sort with a firewall of some sort on one of those vlans, and you have another internet connection that is dedicated to the 3000 series VPN concentrator, and you have remote laptops attempting to connect in through the 3000? if not please correct me.

if this is so, is the concentrator inside interface and the firewall inside interface on the same vlan?

Lots of questions I know, sorry, but I wan't to give you a useful answer.
DanSheppersAuthor Commented:
Even ping's show this packet loss.

Currently NDS is running in parallel to AD.  They are both on the same subnet.

There are 2-3 local lans, however these vlans are more for administrative purposes.  Main computers are all on the one subnet with the servers.

The 3000 series VPN concentrator has a dedicated line coming into it.  Remote laptops are connecting to the VPN concentrator as well as remote sites.

The concentrator inside and firewall/router inside interface are on the same vlan.
on the VPN client side PCs, are you using the Cisco VPN client? If so, once the icon is up in the systray, oyu can right click it, select statistics, then look at hte route tab. you should see either as a route if you do not have split tunneling enabled, or see the specific subnet(s) on which your servers exist if you do have split tunneling enabled.

Do the VPN clients get the proper DNS and any other services (WINS etc.) addresses from the DHCP configuration that the VPN concentrator is passing them?

If you try to traceroute to the hosts from the VPN clients, what do you see?

are there any log entries in the firewall or VPN device that look to be related time-wise and/or host-wise to the end stations in question?
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

DanSheppersAuthor Commented:
Sorry for the late response, we had a huge network problem the other day(WAN was flapping)

Cisco VPN Client is being used.
The route for the network is present
DNS, WINS, etc is correct

Tracert from the host to the PC show the first hope as the WAN IP of the VPN concentrator and then the destination computer.

Nothing in the VPN device or firewall that looks like it could be related to the problems we are experiencing.
DanSheppersAuthor Commented:
Addditionally, a wireshark on the Cisco end shows a few TTL exceeded messages before the results come back.
DanSheppersAuthor Commented:
Actually, ignore that last comment, that is what it is suppose to do... :P
heh yeah, that pesky traceroute behavior :)

since you mention wireshark, htat gives us a great tool to troubleshoot with. launch wireshark (or better still Sniffer Portable if you have it) on the remote PC trying to get to the AD servers, and also on either a Sniffer on a tap of the inside interface of the VPN concentrator, or on a port span of the inside interface of hte VPN concentrator. Make sure both Sniffers are using NTP (accurate time is a HUGE part of  troubleshooting traces). On the head end one, create a filter with the remote PCs native IP to any, its VPN DHCP pool IP to any, and the site's outside IP to any (let me know if you need a hand with that), and on the remote PC don't create any filter. Close everything on that PC that's non-criitical (chat clients, browsers, weatherbug crap, etc.). Then give the connection a shot while capturing on both Sniffers at the same time, then we'll compare the traces. Paste in the captures, and the IP addresses of hte server you are trying to reach, and hte three IPs mentioned for hte filter above. We'll kill the problem in no time.
DanSheppersAuthor Commented:
Put into place a ASA which resolved the problems

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.