Cisco Anyconnect VPN Connects but no network access

I have a remote Windows 7 system that connects to the VPN but cannot access the network.  All other users at this location are working fine.  I have removed the client and reinstalled but still no network access.  I am not sure what else to check.  The Firewall is a Cisco ASA
magarnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

max_the_kingCommented:
Hi,
since you did not post the configuration, assuming it is all right and all other users can access vpn by means of the cisco vpn client, you might encounter a problem i have coped with before sometimes.
You can check if you can access resources by using anither vpn client, which you can download free from the following link:
http://www.shrew.net/download/vpn
This is really full functional and you can as well import the config pcf file from "C:\Program Files\Cisco Systems\VPN Client\Profiles\*.pcf" after installing the software.
If it works fine, then your cisco vpn client has some bug interfering with your windows operating systems.
You can then decide if trying to resolve that bug, or you better go on with Shrew VPN Client.

hope this helps
max
0
magarnerAuthor Commented:
All other users can access by Cisco VPN - our configuration hasn't changed in months that is why I did not post the configuration - it didn't seem like any reason since this is an isolated case that was working last week.  If I do an NSlookup it is failing trying to access my internal DNS server.
0
MichaelSBCommented:
Not sure if this helps, I am using cisco anyconnect and had an issue with a windows 7 installation not beingl able to access the network.  Under the network adapter settings for the VPN  I found the gateway IP was missing, once I added it, everything was fine.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

max_the_kingCommented:
Hi,
one issue i know that can happen sometimes is "Internet Connection sharing (ICS)" windows service. If it is "started", please try and stop the service and try to connect once again.

max
0
magarnerAuthor Commented:
I cannot get the shrew vpn client to connect.

The gateway does not appear to be the issue.  The client using the local gateway for internet access.  Other clients that are working do not have a gateway configured.

The ICS service is not running.

Thanks for all the feedback - other ideas?????
0
max_the_kingCommented:
hi,
then you must have something wrong on that PC, either the operating system issues (firewall and the like) or wrong credentials set into vpn client configuration

max
0
magarnerAuthor Commented:
Thoughts as to what could be wrong with the PC or operating system?
0
Pete LongTechnical ConsultantCommented:
Cisco VPN Client Connects but no traffic will Pass
0
Pete LongTechnical ConsultantCommented:
oops sorry
Cisco VPN Client Connects but no traffic will Pass


hit the wrong button =/
0
magarnerAuthor Commented:
Before I make the suggest Nat change - I can tell you if I look at ipconfig - i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes.  Doesn't this mean that router is not breaking the NAT 0.  Also all other devices at this location are working using the same client.
0
MichaelSBCommented:
can you compare the vpn adapter settings with one that is working?  Might show you something is a miss.
0
magarnerAuthor Commented:
Since they are using AnyConnect - there are no settings to compare at the client level.
0
Pete LongTechnical ConsultantCommented:
>>i see that the VPN adapter has been assigned an address that is in the range of what our ASA dishes

If its from DHCP then this tends to be OK if its from a static pool on the ASA then this tends to cause problems
0
magarnerAuthor Commented:
It is from DHCP.
0
Robert Sutton JrSenior Network ManagerCommented:
Instead of just guessing or attempting various fixes lets just try something simple to start... On your ASA enable debug and post the results here in a txt file.

Issue the command: debug crypto isakmp

Then attempt to connect using your Win 7 pc.
If you can connect successfully, then attempt to access local resources... Note EVERYthing along the way and review your logs. What does it tell you? Or, simply post the results here and we'll assist you further.

Let us know.
0
magarnerAuthor Commented:
Apr 06 2012 13:37:04: %ASA-5-737003: IPAA: DHCP configured, no viable servers fo
und for tunnel-group 'DefaultWEBVPNGroup'
Apr 06 2012 13:37:04: %ASA-4-722041: TunnelGroup <DefaultWEBVPNGroup> GroupPolic
y <AnyConnectPolicy1> User <gcramer> IP <199.19.250.47> No IPv6 address availabl
e for SVC connection
Apr 06 2012 13:37:05: %ASA-5-722033: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> First UDP SVC connection established for SVC session.
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:05: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:06: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:07: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-2-106006: Deny inbound UDP from 192.168.10.19/137 to
192.168.10.255/137 on interface inside
Apr 06 2012 13:37:08: %ASA-4-106023: Deny icmp src outside:129.82.138.38 dst ins
ide:216.68.102.226 (type 8, code 0) by access-group "static" [0x0, 0x0]
Apr 06 2012 13:37:10: %ASA-5-722032: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> New TCP SVC connection replacing old connection.
Apr 06 2012 13:37:10: %ASA-4-722051: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Address <192.168.10.19> assigned to session
Apr 06 2012 13:37:10: %ASA-5-722028: Group <AnyConnectPolicy1> User <gcramer> IP
 <199.19.250.47> Stale SVC connection closed.
0
magarnerAuthor Commented:
The problem turned out to be an IPSEC issue with our BlueCoat server - thank everyone for the suggestions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
magarnerAuthor Commented:
We were notified at noon today by Bluecoat they have identified a global problem they caused that was the root of our issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.