?
Solved

Cisco Anyconnect VPN Connects but no network access

Posted on 2012-04-03
18
Medium Priority
?
5,566 Views
Last Modified: 2012-04-11
I have a remote Windows 7 system that connects to the VPN but cannot access the network.  All other users at this location are working fine.  I have removed the client and reinstalled but still no network access.  I am not sure what else to check.  The Firewall is a Cisco ASA
0
Comment
Question by:magarner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 3
  • +2
18 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 37801007
Hi,
since you did not post the configuration, assuming it is all right and all other users can access vpn by means of the cisco vpn client, you might encounter a problem i have coped with before sometimes.
You can check if you can access resources by using anither vpn client, which you can download free from the following link:
http://www.shrew.net/download/vpn
This is really full functional and you can as well import the config pcf file from "C:\Program Files\Cisco Systems\VPN Client\Profiles\*.pcf" after installing the software.
If it works fine, then your cisco vpn client has some bug interfering with your windows operating systems.
You can then decide if trying to resolve that bug, or you better go on with Shrew VPN Client.

hope this helps
max
0
 

Author Comment

by:magarner
ID: 37801092
All other users can access by Cisco VPN - our configuration hasn't changed in months that is why I did not post the configuration - it didn't seem like any reason since this is an isolated case that was working last week.  If I do an NSlookup it is failing trying to access my internal DNS server.
0
 

Expert Comment

by:MichaelSB
ID: 37801141
Not sure if this helps, I am using cisco anyconnect and had an issue with a windows 7 installation not beingl able to access the network.  Under the network adapter settings for the VPN  I found the gateway IP was missing, once I added it, everything was fine.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 16

Expert Comment

by:max_the_king
ID: 37801170
Hi,
one issue i know that can happen sometimes is "Internet Connection sharing (ICS)" windows service. If it is "started", please try and stop the service and try to connect once again.

max
0
 

Author Comment

by:magarner
ID: 37801397
I cannot get the shrew vpn client to connect.

The gateway does not appear to be the issue.  The client using the local gateway for internet access.  Other clients that are working do not have a gateway configured.

The ICS service is not running.

Thanks for all the feedback - other ideas?????
0
 
LVL 16

Expert Comment

by:max_the_king
ID: 37801513
hi,
then you must have something wrong on that PC, either the operating system issues (firewall and the like) or wrong credentials set into vpn client configuration

max
0
 

Author Comment

by:magarner
ID: 37802107
Thoughts as to what could be wrong with the PC or operating system?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37805584
Cisco VPN Client Connects but no traffic will Pass
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37805585
oops sorry
Cisco VPN Client Connects but no traffic will Pass


hit the wrong button =/
0
 

Author Comment

by:magarner
ID: 37805850
Before I make the suggest Nat change - I can tell you if I look at ipconfig - i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes.  Doesn't this mean that router is not breaking the NAT 0.  Also all other devices at this location are working using the same client.
0
 

Expert Comment

by:MichaelSB
ID: 37805937
can you compare the vpn adapter settings with one that is working?  Might show you something is a miss.
0
 

Author Comment

by:magarner
ID: 37805983
Since they are using AnyConnect - there are no settings to compare at the client level.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37809892
>>i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes

If its from DHCP then this tends to be OK if its from a static pool on the ASA then this tends to cause problems
0
 

Author Comment

by:magarner
ID: 37811545
It is from DHCP.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 37811790
Instead of just guessing or attempting various fixes lets just try something simple to start... On your ASA enable debug and post the results here in a txt file.

Issue the command: debug crypto isakmp

Then attempt to connect using your Win 7 pc.
If you can connect successfully, then attempt to access local resources... Note EVERYthing along the way and review your logs. What does it tell you? Or, simply post the results here and we'll assist you further.

Let us know.
0
 

Author Comment

by:magarner
ID: 37816983
Apr 06 2012 13:37:04: %ASA-5-737003: IPAA: DHCP configured, no viable servers fo
und for tunnel-group 'DefaultWEBVPNGroup'
Apr 06 2012 13:37:04: %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolic
y <AnyConnectPolicy1> User <gcramer> IP <199.19.250.47> No IPv6 address availabl
e for SVC connection
Apr 06 2012 13:37:05: %ASA-5-722033: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> First UDP SVC connection established for SVC session.
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-4-106023: Deny icmp src outside:129.82.138.38 dst ins
ide:216.68.102.226 (type 8, code 0) by access-group "static" [0x0, 0x0]
Apr 06 2012 13:37:10: %ASA-5-722032: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> New TCP SVC connection replacing old connection.
Apr 06 2012 13:37:10: %ASA-4-722051: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Address <192.168.10.19> assigned to session
Apr 06 2012 13:37:10: %ASA-5-722028: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Stale SVC connection closed.
0
 

Accepted Solution

by:
magarner earned 0 total points
ID: 37817129
The problem turned out to be an IPSEC issue with our BlueCoat server - thank everyone for the suggestions.
0
 

Author Closing Comment

by:magarner
ID: 37831694
We were notified at noon today by Bluecoat they have identified a global problem they caused that was the root of our issue.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question