06-03-2011 02:33 AM - edited 03-11-2019 01:42 PM
Hi There
I have a Cisco ASA 5520 Firewall that acts as a VPN Server. The Cisco Remote Access VPN (using Cisco VPN client software) has been working fine for many years now. However, lately, I've been informed that, if the remote users were to connect to the VPN Server via ISP-A, everything works fine but if via ISP-B, everything works fine until the authentication portion and the remote user is able to grab a dynamic DHCP pool IP from the VPN Server, but after that, nothing works anymore e.g. unable to PING any devices in the private LAN and even access any servers in the private LAN.
I suspect this problem is because when a remote user first connects to ISP-B, the ISP-B provides a dynamic IP to the remote user which conflicts or overlaps with the private LAN. For this reason, remote users unable to PING any devices in the private LAN and even access any servers in the private LAN.
Can this issue be resolved? Please kindly advice.
Regards,
Ram
06-03-2011 03:10 AM
Hi There
Just to add on, shown below is what I saw
ISP-B gives a dynamic IP Address 10.145.140.134/32
After the authentication is successful, the VPN Server gives a dynamic IP Address 10.208.111.2/8
The private LAN network address is 10.208.0.0/16
Could the dynamic IP address provided by the ISP-B conflicts/overlaps with the dynamic IP Address given by the VPN Server?
Regards,
Ram
06-14-2011 07:49 PM
From: Vikas Grover [mailto:vigrover@cisco.com]
Sent: Wednesday, June 15, 2011 3:44 AM
To: Ramraj Sivagnanam (AP)
Subject: SR 618038027 - Troubleshoot Remote Access VPN - 4565789-2
Hi Ram,
I think last time during the troubleshooting session we were using 3G data card Cisco Ipsec vpn client has some issues with the 3G data cards i.e it doesn’t work well. There is a bug id : CSCsf10635
Workaround:
Some customers have had positive results by setting the following parameter in the VPN Client profile:
ForceNatT=1
However this doesn't work in all situations. Please try to follow above workaround and see if we are able to connect.
Thanks & Regards,
Vikas Grover
Cisco TAC Engineer - (VPN)
Cisco Systems Inc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide