Solved

Cisco Anyconnect VPN Connects but no network access

Posted on 2012-04-03
18
5,332 Views
Last Modified: 2012-04-11
I have a remote Windows 7 system that connects to the VPN but cannot access the network.  All other users at this location are working fine.  I have removed the client and reinstalled but still no network access.  I am not sure what else to check.  The Firewall is a Cisco ASA
0
Comment
Question by:magarner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 3
  • +2
18 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 37801007
Hi,
since you did not post the configuration, assuming it is all right and all other users can access vpn by means of the cisco vpn client, you might encounter a problem i have coped with before sometimes.
You can check if you can access resources by using anither vpn client, which you can download free from the following link:
http://www.shrew.net/download/vpn
This is really full functional and you can as well import the config pcf file from "C:\Program Files\Cisco Systems\VPN Client\Profiles\*.pcf" after installing the software.
If it works fine, then your cisco vpn client has some bug interfering with your windows operating systems.
You can then decide if trying to resolve that bug, or you better go on with Shrew VPN Client.

hope this helps
max
0
 

Author Comment

by:magarner
ID: 37801092
All other users can access by Cisco VPN - our configuration hasn't changed in months that is why I did not post the configuration - it didn't seem like any reason since this is an isolated case that was working last week.  If I do an NSlookup it is failing trying to access my internal DNS server.
0
 

Expert Comment

by:MichaelSB
ID: 37801141
Not sure if this helps, I am using cisco anyconnect and had an issue with a windows 7 installation not beingl able to access the network.  Under the network adapter settings for the VPN  I found the gateway IP was missing, once I added it, everything was fine.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 16

Expert Comment

by:max_the_king
ID: 37801170
Hi,
one issue i know that can happen sometimes is "Internet Connection sharing (ICS)" windows service. If it is "started", please try and stop the service and try to connect once again.

max
0
 

Author Comment

by:magarner
ID: 37801397
I cannot get the shrew vpn client to connect.

The gateway does not appear to be the issue.  The client using the local gateway for internet access.  Other clients that are working do not have a gateway configured.

The ICS service is not running.

Thanks for all the feedback - other ideas?????
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 37801513
hi,
then you must have something wrong on that PC, either the operating system issues (firewall and the like) or wrong credentials set into vpn client configuration

max
0
 

Author Comment

by:magarner
ID: 37802107
Thoughts as to what could be wrong with the PC or operating system?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37805584
Cisco VPN Client Connects but no traffic will Pass
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37805585
oops sorry
Cisco VPN Client Connects but no traffic will Pass


hit the wrong button =/
0
 

Author Comment

by:magarner
ID: 37805850
Before I make the suggest Nat change - I can tell you if I look at ipconfig - i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes.  Doesn't this mean that router is not breaking the NAT 0.  Also all other devices at this location are working using the same client.
0
 

Expert Comment

by:MichaelSB
ID: 37805937
can you compare the vpn adapter settings with one that is working?  Might show you something is a miss.
0
 

Author Comment

by:magarner
ID: 37805983
Since they are using AnyConnect - there are no settings to compare at the client level.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37809892
>>i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes

If its from DHCP then this tends to be OK if its from a static pool on the ASA then this tends to cause problems
0
 

Author Comment

by:magarner
ID: 37811545
It is from DHCP.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 37811790
Instead of just guessing or attempting various fixes lets just try something simple to start... On your ASA enable debug and post the results here in a txt file.

Issue the command: debug crypto isakmp

Then attempt to connect using your Win 7 pc.
If you can connect successfully, then attempt to access local resources... Note EVERYthing along the way and review your logs. What does it tell you? Or, simply post the results here and we'll assist you further.

Let us know.
0
 

Author Comment

by:magarner
ID: 37816983
Apr 06 2012 13:37:04: %ASA-5-737003: IPAA: DHCP configured, no viable servers fo
und for tunnel-group 'DefaultWEBVPNGroup'
Apr 06 2012 13:37:04: %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolic
y <AnyConnectPolicy1> User <gcramer> IP <199.19.250.47> No IPv6 address availabl
e for SVC connection
Apr 06 2012 13:37:05: %ASA-5-722033: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> First UDP SVC connection established for SVC session.
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-4-106023: Deny icmp src outside:129.82.138.38 dst ins
ide:216.68.102.226 (type 8, code 0) by access-group "static" [0x0, 0x0]
Apr 06 2012 13:37:10: %ASA-5-722032: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> New TCP SVC connection replacing old connection.
Apr 06 2012 13:37:10: %ASA-4-722051: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Address <192.168.10.19> assigned to session
Apr 06 2012 13:37:10: %ASA-5-722028: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Stale SVC connection closed.
0
 

Accepted Solution

by:
magarner earned 0 total points
ID: 37817129
The problem turned out to be an IPSEC issue with our BlueCoat server - thank everyone for the suggestions.
0
 

Author Closing Comment

by:magarner
ID: 37831694
We were notified at noon today by Bluecoat they have identified a global problem they caused that was the root of our issue.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5505 packet drops 14 70
Poll Active Directory user information 11 71
GBIC "Gi0/25 notconnect 1auto auto unknown" 3 76
Bizarre IP Address / Port Blocking Windows 7 13 80
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question