https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841231#M52625 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P>My understanding is that all traffic is tunnelled through the EoIP tunnel, and therefore there is no need to specify ipsec ports on our firewall.&nbsp; Is this not correct?</P></BODY></HTML> Tue, 29 Nov 2011 14:45:07 GMT liamwalk1971 2011-11-29T14:45:07Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841227#M52621 <P>Hi,</P><P></P><P>We have implemented a Guest WLAN using a 4402 controller residing&nbsp; in our internet facing DMZ environment.&nbsp; EoIP tunnel forwards traffic&nbsp; from internal controllers to DMZ anchor.&nbsp; The service works well and is&nbsp; very popular with third party contractors working onsite.&nbsp;&nbsp; Authentication for guest is via a Cisco Guest NAC server.</P><P></P><P>We have had a few issues with contractors attempting to establish client VPN access to their parent company.&nbsp; Are there any known issues with this type of guest connection?</P><P></P><P>Many thanks</P> Sun, 04 Jul 2021 04:08:38 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841227#M52621 liamwalk1971 2021-07-04T04:08:38Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841228#M52622 <HTML><HEAD></HEAD><BODY><P>Liam,</P><P></P><P>As long as you are opening up the ports for VPN on the FW, you should be fine.&nbsp; I have never had any issues with various type of VPN clients using wireless guest (webauth).&nbsp; Are you sure that the users have successfully authenticated? Also did you increase the session timeout or disabled it.&nbsp; This will force webauth users to log back in which might be an issue also.</P></BODY></HTML> Tue, 29 Nov 2011 13:29:22 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841228#M52622 Scott Fella 2011-11-29T13:29:22Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841229#M52623 <HTML><HEAD></HEAD><BODY><P>What code version?</P><P></P><P>There have been numerous bugs with pptp not working so if you aren't up to date on code, it wouldn't surprise me if that is your problem.</P></BODY></HTML> Tue, 29 Nov 2011 14:28:14 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841229#M52623 weterry 2011-11-29T14:28:14Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841230#M52624 <HTML><HEAD></HEAD><BODY><P>Can you provide us with what code versions are affected?</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Tue, 29 Nov 2011 14:37:41 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841230#M52624 Scott Fella 2011-11-29T14:37:41Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841231#M52625 <HTML><HEAD></HEAD><BODY><P>Hi Scott,</P><P>My understanding is that all traffic is tunnelled through the EoIP tunnel, and therefore there is no need to specify ipsec ports on our firewall.&nbsp; Is this not correct?</P></BODY></HTML> Tue, 29 Nov 2011 14:45:07 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841231#M52625 liamwalk1971 2011-11-29T14:45:07Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841232#M52626 <HTML><HEAD></HEAD><BODY><P>I thought there was one in mid-6.0 code.... but can't seem to find bug ID so I may be mistaken</P><P></P><P>CSCsx20559&nbsp;&nbsp;&nbsp; PPTP not working through WLC&nbsp;&nbsp; - Exists in 5.2.157.0 5.2.178.0&nbsp;&nbsp; resolved in 5.2.193 / 6.0</P><P></P><P>CSCtc78925&nbsp;&nbsp;&nbsp; PPTP not connecting through IOS based AP - Autonomous - One of the biggest issues with 12.4(21a)JA01&nbsp; (resolved in whatever IOS code came after JA01.</P><P></P><P>It also looks like there is an even older bug but I can't make out wlc version of code.</P><P></P><P></P><P>It may not even be an issue for this case.&nbsp; Just something to note.</P></BODY></HTML> Tue, 29 Nov 2011 14:50:05 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841232#M52626 weterry 2011-11-29T14:50:05Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841233#M52627 <HTML><HEAD></HEAD><BODY><P>Correct... I have clients that put rules in the FW for guest traffic not allowing VPN, that's why I ask.</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Tue, 29 Nov 2011 14:50:11 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841233#M52627 Scott Fella 2011-11-29T14:50:11Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841234#M52628 <HTML><HEAD></HEAD><BODY><P>Thanks for the version! I was worried it was on the 6.x:)</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Tue, 29 Nov 2011 14:54:41 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841234#M52628 Scott Fella 2011-11-29T14:54:41Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841235#M52629 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P></P><P>The version of code on the corporate network controllers (2 x WiSM) and DMZ Anchor Point controllers (2 x 4402) is 7.0.98.0.</P><P></P><P>If there are any recommendations on required code level, please let me know.</P><P></P><P>Many thanks</P></BODY></HTML> Tue, 29 Nov 2011 17:10:28 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841235#M52629 liamwalk1971 2011-11-29T17:10:28Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841236#M52630 <HTML><HEAD></HEAD><BODY><P>Nothing specific to this issue comes to mind as far as 7.0 goes.</P><P>I saw a few TAC cases complain about guest + vpn,&nbsp; all of which were firewall limitations (except I think 1 was a bandwidth contract issue).&nbsp; </P><P></P><P>Are you doing rate limiting with bandwidth contracts?&nbsp; That wouldn't prevent a vpn though, it would just potentially cause vpn disconnects due to over subscription.....</P><P></P><P></P><P>So unless bandwidth contracts are in place, I'm leaning back to Scott's post.&nbsp;&nbsp; I assume you have a firewall between your Anchor WLC and the internet.....&nbsp; perhaps the firewall is eating that packets?&nbsp;&nbsp; Specifically, you mention your anchor is in the DMZ....&nbsp; I hear DMZ used loosely, sometimes it means completely on the other side of the firewal, some times it means a virtual zone within the firewal (port 1 trust, port 2 untrust, port 3 dmz)&nbsp; so traffic would still go thorugh the firewall from DMZ to untrust to get to internet....</P></BODY></HTML> Tue, 29 Nov 2011 17:24:30 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841236#M52630 weterry 2011-11-29T17:24:30Z https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841237#M52631 <HTML><HEAD></HEAD><BODY><P> Hi,</P><P>Yes, I just checked the fw rules and although we allow all tcp/udp access outbound, I am thinking we also need to enable IPSec-ESP protocol 50 also.</P><P></P><P>Many thanks</P></BODY></HTML> Tue, 29 Nov 2011 17:32:25 GMT https://community.cisco.com/t5/wireless/guest-access-and-vpn-client-sessions/m-p/1841237#M52631 liamwalk1971 2011-11-29T17:32:25Z