Link to home
Start Free TrialLog in
Avatar of magarner
magarner

asked on

Cisco Anyconnect VPN Connects but no network access

I have a remote Windows 7 system that connects to the VPN but cannot access the network.  All other users at this location are working fine.  I have removed the client and reinstalled but still no network access.  I am not sure what else to check.  The Firewall is a Cisco ASA
Avatar of max_the_king
max_the_king

Hi,
since you did not post the configuration, assuming it is all right and all other users can access vpn by means of the cisco vpn client, you might encounter a problem i have coped with before sometimes.
You can check if you can access resources by using anither vpn client, which you can download free from the following link:
http://www.shrew.net/download/vpn
This is really full functional and you can as well import the config pcf file from "C:\Program Files\Cisco Systems\VPN Client\Profiles\*.pcf" after installing the software.
If it works fine, then your cisco vpn client has some bug interfering with your windows operating systems.
You can then decide if trying to resolve that bug, or you better go on with Shrew VPN Client.

hope this helps
max
Avatar of magarner

ASKER

All other users can access by Cisco VPN - our configuration hasn't changed in months that is why I did not post the configuration - it didn't seem like any reason since this is an isolated case that was working last week.  If I do an NSlookup it is failing trying to access my internal DNS server.
Not sure if this helps, I am using cisco anyconnect and had an issue with a windows 7 installation not beingl able to access the network.  Under the network adapter settings for the VPN  I found the gateway IP was missing, once I added it, everything was fine.
Hi,
one issue i know that can happen sometimes is "Internet Connection sharing (ICS)" windows service. If it is "started", please try and stop the service and try to connect once again.

max
I cannot get the shrew vpn client to connect.

The gateway does not appear to be the issue.  The client using the local gateway for internet access.  Other clients that are working do not have a gateway configured.

The ICS service is not running.

Thanks for all the feedback - other ideas?????
hi,
then you must have something wrong on that PC, either the operating system issues (firewall and the like) or wrong credentials set into vpn client configuration

max
Thoughts as to what could be wrong with the PC or operating system?
Cisco VPN Client Connects but no traffic will Pass
Before I make the suggest Nat change - I can tell you if I look at ipconfig - i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes.  Doesn't this mean that router is not breaking the NAT 0.  Also all other devices at this location are working using the same client.
can you compare the vpn adapter settings with one that is working?  Might show you something is a miss.
Since they are using AnyConnect - there are no settings to compare at the client level.
>>i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes

If its from DHCP then this tends to be OK if its from a static pool on the ASA then this tends to cause problems
It is from DHCP.
Instead of just guessing or attempting various fixes lets just try something simple to start... On your ASA enable debug and post the results here in a txt file.

Issue the command: debug crypto isakmp

Then attempt to connect using your Win 7 pc.
If you can connect successfully, then attempt to access local resources... Note EVERYthing along the way and review your logs. What does it tell you? Or, simply post the results here and we'll assist you further.

Let us know.
Apr 06 2012 13:37:04: %ASA-5-737003: IPAA: DHCP configured, no viable servers fo
und for tunnel-group 'DefaultWEBVPNGroup'
Apr 06 2012 13:37:04: %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolic
y <AnyConnectPolicy1> User <gcramer> IP <199.19.250.47> No IPv6 address availabl
e for SVC connection
Apr 06 2012 13:37:05: %ASA-5-722033: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> First UDP SVC connection established for SVC session.
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-4-106023: Deny icmp src outside:129.82.138.38 dst ins
ide:216.68.102.226 (type 8, code 0) by access-group "static" [0x0, 0x0]
Apr 06 2012 13:37:10: %ASA-5-722032: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> New TCP SVC connection replacing old connection.
Apr 06 2012 13:37:10: %ASA-4-722051: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Address <192.168.10.19> assigned to session
Apr 06 2012 13:37:10: %ASA-5-722028: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Stale SVC connection closed.
ASKER CERTIFIED SOLUTION
Avatar of magarner
magarner

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
We were notified at noon today by Bluecoat they have identified a global problem they caused that was the root of our issue.