Solved

Cisco Anyconnect VPN Connects but no network access

Posted on 2012-04-03
18
4,816 Views
Last Modified: 2012-04-11
I have a remote Windows 7 system that connects to the VPN but cannot access the network.  All other users at this location are working fine.  I have removed the client and reinstalled but still no network access.  I am not sure what else to check.  The Firewall is a Cisco ASA
0
Comment
Question by:magarner
  • 9
  • 3
  • 3
  • +2
18 Comments
 
LVL 15

Expert Comment

by:max_the_king
ID: 37801007
Hi,
since you did not post the configuration, assuming it is all right and all other users can access vpn by means of the cisco vpn client, you might encounter a problem i have coped with before sometimes.
You can check if you can access resources by using anither vpn client, which you can download free from the following link:
http://www.shrew.net/download/vpn
This is really full functional and you can as well import the config pcf file from "C:\Program Files\Cisco Systems\VPN Client\Profiles\*.pcf" after installing the software.
If it works fine, then your cisco vpn client has some bug interfering with your windows operating systems.
You can then decide if trying to resolve that bug, or you better go on with Shrew VPN Client.

hope this helps
max
0
 

Author Comment

by:magarner
ID: 37801092
All other users can access by Cisco VPN - our configuration hasn't changed in months that is why I did not post the configuration - it didn't seem like any reason since this is an isolated case that was working last week.  If I do an NSlookup it is failing trying to access my internal DNS server.
0
 

Expert Comment

by:MichaelSB
ID: 37801141
Not sure if this helps, I am using cisco anyconnect and had an issue with a windows 7 installation not beingl able to access the network.  Under the network adapter settings for the VPN  I found the gateway IP was missing, once I added it, everything was fine.
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 37801170
Hi,
one issue i know that can happen sometimes is "Internet Connection sharing (ICS)" windows service. If it is "started", please try and stop the service and try to connect once again.

max
0
 

Author Comment

by:magarner
ID: 37801397
I cannot get the shrew vpn client to connect.

The gateway does not appear to be the issue.  The client using the local gateway for internet access.  Other clients that are working do not have a gateway configured.

The ICS service is not running.

Thanks for all the feedback - other ideas?????
0
 
LVL 15

Expert Comment

by:max_the_king
ID: 37801513
hi,
then you must have something wrong on that PC, either the operating system issues (firewall and the like) or wrong credentials set into vpn client configuration

max
0
 

Author Comment

by:magarner
ID: 37802107
Thoughts as to what could be wrong with the PC or operating system?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37805584
Cisco VPN Client Connects but no traffic will Pass
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37805585
oops sorry
Cisco VPN Client Connects but no traffic will Pass


hit the wrong button =/
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:magarner
ID: 37805850
Before I make the suggest Nat change - I can tell you if I look at ipconfig - i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes.  Doesn't this mean that router is not breaking the NAT 0.  Also all other devices at this location are working using the same client.
0
 

Expert Comment

by:MichaelSB
ID: 37805937
can you compare the vpn adapter settings with one that is working?  Might show you something is a miss.
0
 

Author Comment

by:magarner
ID: 37805983
Since they are using AnyConnect - there are no settings to compare at the client level.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37809892
>>i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes

If its from DHCP then this tends to be OK if its from a static pool on the ASA then this tends to cause problems
0
 

Author Comment

by:magarner
ID: 37811545
It is from DHCP.
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 37811790
Instead of just guessing or attempting various fixes lets just try something simple to start... On your ASA enable debug and post the results here in a txt file.

Issue the command: debug crypto isakmp

Then attempt to connect using your Win 7 pc.
If you can connect successfully, then attempt to access local resources... Note EVERYthing along the way and review your logs. What does it tell you? Or, simply post the results here and we'll assist you further.

Let us know.
0
 

Author Comment

by:magarner
ID: 37816983
Apr 06 2012 13:37:04: %ASA-5-737003: IPAA: DHCP configured, no viable servers fo
und for tunnel-group 'DefaultWEBVPNGroup'
Apr 06 2012 13:37:04: %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolic
y <AnyConnectPolicy1> User <gcramer> IP <199.19.250.47> No IPv6 address availabl
e for SVC connection
Apr 06 2012 13:37:05: %ASA-5-722033: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> First UDP SVC connection established for SVC session.
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-4-106023: Deny icmp src outside:129.82.138.38 dst ins
ide:216.68.102.226 (type 8, code 0) by access-group "static" [0x0, 0x0]
Apr 06 2012 13:37:10: %ASA-5-722032: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> New TCP SVC connection replacing old connection.
Apr 06 2012 13:37:10: %ASA-4-722051: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Address <192.168.10.19> assigned to session
Apr 06 2012 13:37:10: %ASA-5-722028: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Stale SVC connection closed.
0
 

Accepted Solution

by:
magarner earned 0 total points
ID: 37817129
The problem turned out to be an IPSEC issue with our BlueCoat server - thank everyone for the suggestions.
0
 

Author Closing Comment

by:magarner
ID: 37831694
We were notified at noon today by Bluecoat they have identified a global problem they caused that was the root of our issue.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Connecting a Cisco switch to a HP Procurve 3 35
Cisco ASA 5506 4 39
IPv6 Address reservation on Cisco router 3 28
Cisco prime 3 15
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now