Solved

2x Cisco  RVS4000 / IPSec Tunnel = Can't https through vpn

Posted on 2011-09-20
8
915 Views
Last Modified: 2012-05-12
Experts,

I have a bit of a strange problem here.

I have two Cisco RVS4000's setup with a VPN between them at two different sites.  For testing, I have everything security-related 100% disabled on both little routers.  No firewall, no IPS, nothing.

Everything works between the two sides, and I can access everything as if it were sitting right next to me (RDP, FTP, HTTP, ICMP, etc.)...  Except 443.

Trying to access anything over https gets network timed out errors.  What would be the cause of this?

The VPN settings for both sides are as follows (identical of course):

IKE with Preshared Key
Ph1 :  3DES / SHA1 / Grp 1024bit / Lifetime 28800
Ph2 :  3DES / SHA1 / Perfect Foward Secrecy Enabled / ***PSK*** / Grp 1024bit / Lifetime 3600
0
Comment
Question by:usslindstrom
  • 5
  • 3
8 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 36567184
ARe you using a browser to test?    Check for proxy settings in the browser.  

A better test is to use nmap to scan the host across Vpn, or just try to telnet to port 443 over the vpn.    

0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36570685
Yes for the browser.  Both FireFox and IE.

Telnetting to a host through the tunnel on 443 gives "connection failed."

Of course, doing anything local (local PC to local server) to each site works fine, there definately is some sort of access list blocking 443 through the tunnel.

As mentioned before, I've disabled everything on the little Cisco routers, so they're just providing NAT for internal clients and IPSec Tunnel support at the moment.

I have a DC at each site, and they're able to replicate freely, as well as DNS, FRS, etc.  Everything is working great, except https.  Very weird issue.
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 36574670
So as you traverse the cisco devices, the cisco's should record any dropped packets in the logs.    I forget where the logs are on those, but it's viewable and should record any dropped packets and give a reason for the drop.  
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 5

Author Comment

by:usslindstrom
ID: 36584205
Thanks for the suggestion.

Unfortunately, the only place I can see on those little RVS4000's to check logs, comes up 100% empty for all logs (including system).
0
 
LVL 33

Accepted Solution

by:
MikeKane earned 500 total points
ID: 36710228
Any local ROUTE tables on the PC that would send traffic elsewhere?  Local VPN adapters that capture traffic?   I'm grasping for straws here since it's an unusual description.    

The traffic must flow somewhere....    Do you have a switch with a monitor port capability to run a trace at the Router level just to make sure packets are being sent there?  How about at least on the host itself?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 36714673
No worries.  Thank you very much for assisting me with this strange problem.

The one thing I haven't done up to this point is grab packet captures, and can definately go that way...  Including Fiddler to see where the https request is going.  The router is connected to a c2950, and I'm not entirely sure if those things support SPAN off the top of my head, but it'd definately be another place to take a look at.

PCs behind the devices are all receiving addresses from DHCP, and I'm not injecting any host routes throughout the domain, so it shouldn't be the case.  - That being said, standard http and -well- any other traffic traverses the tunnel just fine and makes it to its destination, so we're most likely not dealing with any sort of L3 issue here.
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 37051858
Sorry for the delay here.  Been very busy with other active issues that needed working out.

Still having the issue here, but it's consuming other protocols as well.

Almost everything over the VPN is working, but SMTP and HTTPS are being killed.
0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 37055234
Problem was with firmware.  Updated to latest release and SSL traffic was finally able to go through.

Unfortunately, SMTP is still getting destroyed on the little thing, but at this point we can definately agree that it's the small little POS router.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5520 problem with Failover in Active/Standby 8 96
Windows 10 Pro and Dual Monitor RDP 10 43
AWS Design\Cisco Meraki 4 34
VPN Connection WIndows 10 5 61
Let’s list some of the technologies that enable smooth teleworking. 
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question