• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 260
  • Last Modified:

VPN?? Firewall?? This will have you scratching your heads!!!!

So here is a situation that has left me scractching my head and I will try to list everything that is currently happening.

We have a location that has 8 users working, The ISP provider is Comcast, Its a Comcast modem plugged into a Netgear 48 port Switch, using 192.168.0.1 as the default gateway.

Everyone can connect locally and use internet just fine.

I have installed Cisco VPN clients on there workstations so they can vpn into my HQ location and be able to access Exchange, File servers, App servers, etc...

Everyone can do that just fine.

However I have 1 user that has a Dell Latitude laptop with the same config as everyone else and he can connect through the cisco VPN at my house, his house, sprint air card, sprint hotspot, hotels, etc... Just fine and access all his server stuff. But when he goes out to the remote location that has 8 users working he can connect to the VPN but it only gives him access to 2 servers, he cannot connect to the Exchange, File server, Sharepoint server. He cannot even ping those servers and when you do a nslookup he comes back with server: unknown but gives the correct DNS server ip address.

but he can connect to our main Accounting server and App server and he can ping those as well.

I have reformated his machine so its a brand new computer and still having the same results.

I then built his profile on another workstation out at that location and it has no issues doing everything he needs.

So my question is whats blocking him,
is it his  Laptop (but how could it be if he can connect on other networks and vpn just fine)

Is it comcast (but how could it be if all 8 other users can do it just fine)

Is it Firewall issues (but how could it be if all 8 can work just fine)

I have no idea why its like this and why its just 1 user and 1 location that this user is experiencing it on.

Please help me on this and if you need more info I will provide but hopefully I covered everything.
0
Neogeo147
Asked:
Neogeo147
  • 7
  • 4
  • 3
  • +3
1 Solution
 
David Johnson, CD, MVPOwnerCommented:
Have you considered "direct access" vs using vpn?
0
 
mat1458Commented:
From what you are telling this can't be true! It should be working, as you say.

But anyway, there must be something.
-What OS does the system run?
-If you say the machine is new: did you install a new OS and all programs or did you reinstall from an image?
-Can you ping the unaccessible systems by IP address?
-How does the machine select the DNS servers? By DHCP or static?
-Is there a hosts file on the machine that might cause the trouble?
-Any static routes/weird arp entries on the system?
0
 
ArneLoviusCommented:
I'm going to guess overlapping subnets
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Neogeo147Author Commented:
It's windows 7 pro 32bit

It grabs a dhcp from the VPN pool, but my dns servers are both static

I haven't checked the host file because it's a complete reformat not from an image just a win 7 cd

What is subnet overlapping and why just 1 user?
0
 
Fred MarshallCommented:
I just want to make sure:
You are using all software VPN client setups from the remote computers like this laptop?  I can imagine a degree of confusion if that's the case.  This seems more likely than anything I can think of here.

Firewalls, firewalls, firewalls...... so you have to suspect the firewall on this laptop.
I have noted that Windows 7 requires more specific rule address scopes than XP requires for subnet-to-subnet file sharing.

You say:
when he goes out to the remote location that has 8 users working he can connect to the VPN but it only gives him access to 2 servers, he cannot connect to the Exchange, File server, Sharepoint server.

Hmmm.... a remote location with all software VPN clients running?  That seems odd.  I'd venture to guess that there's a site-to-site VPN in this situation.  In that case I should think that you'd not want to use a software VPN client with this laptop.  Rather, become part of the local subnet.

I think we need just a bit more information here.

I agree with ArneLovius re: overlapping subnets.  Do check that out!
0
 
Neogeo147Author Commented:
Yes its all the same VPN client that I install on everyones workstation (80+ users)

Yes I was thinking it must be something to do with the internal firewall on windows 7 but when I force it off it still does the same thing

Why does that seem odd?? I thought about a point to point but just didn't want to pay for that type of service, no need when its 8 users at best at that location, its pretty random, sometimes its just 1 person there.

With a site to site VPN won't they lose speed on there current internet connection. Comcast has them on a 20mb circuit but when they tunnel into the vpn it slows down there internet. So to make everyone happy (since they don't need to do much VPN'ing) is to not mess with the pipe coming in so they can take advantage of full speeds (which is needed for downloading AutoCad drawings from FTP sites)

What other info would you like???

overlapping subnets with 1 user???
0
 
Neogeo147Author Commented:
There location has a Sprint Airrave to boost there cell service signal, now this Airrave has a WAN port and they have it plugged into the patch panel wall.

I thought this might be the culprit because its a pretty advanced little device, has its own firewall and router built in. But then I think well nobody else out at that location has any issues and even I don't when I go out there so it can't be that. But to make sure, I did unplug it and tried again with that 1 users laptop and still nothing.
0
 
Fred MarshallCommented:
With a site to site VPN won't they lose speed on there current internet connection. Comcast has them on a 20mb circuit but when they tunnel into the vpn it slows down there internet. So to make everyone happy (since they don't need to do much VPN'ing) is to not mess with the pipe coming in so they can take advantage of full speeds (which is needed for downloading AutoCad drawings from FTP sites)

I don't see how they would lose any speed.  In fact, I wouldn't be surprised if a site-to-site VPN might not be faster as the PCs then wouldn't have to be doing the encryption.

but when they tunnel into the vpn it slows down there internet.
??? Does this mean that when they connect the vpn that web page loads slow down?  Well, I might think so because it's *all* using the available internet connection bandwidth together.  This would be *very* situation dependent.

I'm a little surprised that they can get internet connections locally while connected via a software client vpn.  Are you sure they aren't getting the internet access via the main site at that point?

So to make everyone happy (since they don't need to do much VPN'ing) is to not mess with the pipe coming in so they can take advantage of full speeds (which is needed for downloading AutoCad drawings from FTP sites)

I don't fully understand yet... sorry.  Are you saying that they connect to the internet to do most of their work and then only connect (through the internet again of course) via vpn when they need to access the main office?
What do you mean by "mess with the pipe coming in"?

If you were to set up a site-to-site VPN at the one remote office then you would get the experience of having both a local internet connection AND a connection to the main office subnet all at the same time.  You wouldn't have to use the internet access "back out" through the main office.  But, I think, if you use a software VPN client then you're stuck with that one connection.  That means that internet accesses go:
1) from the remote computer to the main site via vpn
2) from the main subnet to the "bare" internet
3) from the "bare" internet to the main site.
4) from the main site to the remote site via vpn.
So, if you're doing a file download from the internet this way then the same file traverses your main site internet interface 2 times.
- down to main site
- up/out to remote site.
I'd not do it this way if I could help it.

Note that the uplink speed, if lower, is going to be the limiting speed for the vpn because one side or the other is always uploading in order to communicate.
0
 
Neogeo147Author Commented:
Sorry my vpn knowledge on site to site is limited. Thanks for letting me know that it wouldn't hurt there local internet speeds.

So I have a cisco asa but I have not set it up for site to site vpn, do they need one on there end to receive this signal, or can I set it up and just point it to there static IP on there comcast modem??

Since I don't have that setup up yet and that I have so many remote users that is the reason why I set it up like this, plus my current VPN hardware is a Cisco vpn concentrator and I'm not sure if that can do site to site, do you know??

Yes they connect to the office only sometimes, to look up documents, access Autocad license and other things, but not all the time. Most of the time they don't need VPN.

But our Big Wigs (executives) they need this VPN client and they travel so much that I can't setup a site to site vpn everywhere they go. So that is another reason why I have it setup like this.

But then it brings us back to the main question, Why is it just this one user and this one location??
0
 
Gabriel OrozcoSolution ArchitectCommented:
out of curiosity

what ip address is the notebook given when he is connected on the faulty network?

what ip address is the notebook given elsewhere?

Could this have to do with your filters? just try to have his notebook on another ip and then try.
0
 
David Johnson, CD, MVPOwnerCommented:
To minimize network overhead I'd use branchcache and direct access (windows 7 enterprise or higher)
0
 
Neogeo147Author Commented:
What is Branchcache?? Direct access??

The ip address is 192.168.0.55

but when its connected to vpn it gets 10.x.x.x

No filters in place that I know of...
0
 
David Johnson, CD, MVPOwnerCommented:
I gave you links to both... notice that they are in BLUE...
0
 
Fred MarshallCommented:
Yes, for a site-to-site VPN you need hardware at both ends.  This can often be the internet gateway router.  Some suggest using the same model at both ends but you could try different models if hardware cost is an issue but your time is not.

I have experience with the Cisco RV042 for this purpose and not with the ASA so not those two together....
0
 
Fred MarshallCommented:
The question about one user and one location is, in my mind, about specifics of those two things.

Assuming that the user is using exactly the same VPN software for connecting then what might it be about that site that's blocking the connection (if that's even the right term for it)?

I have very little experience with the software VPN client setups.  But here is maybe a hint from site-to-site setups:

In some cases, it's not possible to go through too many NAT boxes with a VPN tunnel.
For example, I can set up a pair of RV042's as VPN terminations.  ONE of them can be behind another router but BOTH of them cannot be behind other routers.  
In the one router, IPSEC passthrough has to be set up.  
So, I wonder, if that might be the case at this one site?
Well, probably not because the other clients work OK.

It then sounds like a subnet or really subnet mask problem.  If you look at what can be accessed and what cannot, how do those addresses fall into subnets?  That is, even if they are supposed to be on the same subnet, might the accessible ones be on a smaller subnet within and the unaccessible ones be on a different smaller subnet within?
A list of those addresses showing the address and accessible/unaccessible would tell.
In general, the accessible ones might be in a contiguous space and the unaccessible ones in another contiguous space.
0
 
Neogeo147Author Commented:
I would like to close this question due to know body knowing an answer and I will have to figure it out myself, I'll post back once I have solved my own issue.

Thanks for the help
0
 
Neogeo147Author Commented:
Nobody knows the answer
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 7
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now