cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1578
Views
0
Helpful
9
Replies

No network access after VPN connection

ayiangoullis
Level 1
Level 1

I use VPN Client 5.0.04.0300 to connect to a remote VPN network (ASA 5100) firewall. I can successfully login but I cannot access any resources (not even ping servers). Other collegues can do this from home and can even do RDP. I tried this both from a Vista and XP PCs with same results. I have a dlink router/firewall at home, on which I disabled all firewall features in order to troubleshoot, I even placed my laptop in DMZ but the results were always the same.

Can I have some help on this please?

9 Replies 9

JORGE RODRIGUEZ
Level 10
Level 10

Andreas,

I do not know much of Dlink devices but generally most vendors follow some standards I would first check following.

1- On Dlink make sure UPnP is enable

http://en.wikipedia.org/wiki/Universal_Plug_and_Play#Overview

2- On your VPN client make sure you have NAT-T enable. This can be found when you first load vpn client , right click your company tunnel group name/ then modify/ then transport tab which is next to authentication tab, check enable transparent tunneling IPsec over UPD ( NAT/PAT )

check these above in your local configurations of Dlink and VPN client.. check back if no luck we will need to turn on log to see what could be the problem, logs could give us some clues of problem.

Regards

rate any helpful posts

Jorge Rodriguez

Thanks for reply.

Both options are true. I have played a lot with all settings of my VPN client and my router.

Here is a log of VPN client with default logging mode (1-low). Note that no error is logged during connection or attempt to ping (which fails). The errors appear when disconnecting. Maybe it's normal:

Cisco Systems VPN Client Version 5.0.04.0300

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6001 Service Pack 1

1 21:02:04.863 01/01/09 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.x.x.x, error 0

2 21:02:05.870 01/01/09 Sev=Warning/2 CVPND/0xA3400015

Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0

3 21:02:06.333 01/01/09 Sev=Warning/2 IKE/0xA3000067

Received an IPC message during invalid state (IKE_MAIN:512)

Would you be able to confirm the asa5510 firewall has NAT-T (Nat traversal ) enabled at their end?

Jorge Rodriguez

Not on my own, but assuming that others can successfully connect with the same options ,only with older version (4.x), this setting must be ok

but assuming that others can successfully connect with the same options

not neccesarily this is true, but to narrrow down posibilities is part of troubleshooting.

If you can confirm this at VPN server we can rule this out firmly.

Does your local LAN NETWORK id by chance happens to be at other end of VPN server LAN, just to rule out overlaping private networks, if this checks out not to be true, have you tried using same VPN version other vpn users use client v4.x.

Regards

Jorge Rodriguez

My friend can indeed connect because we share work and he completes some tasks remotely from home. He uses VPN so, it's true.

My home network is 192.168.0.x/24 and the remote site uses the exact same network. However, iI tried to change this here and used something else (192.168.1.x/24) and the problem was the same. I haven't tried all troubleshooting options on my router though with the new subnet.

Do you thing that this could be the problem?

ayiangoullis
Level 1
Level 1

UPDATE: I managed to make it work under the following condition:

1)Changed my local Network id to 192.168.1.0 instead of 192.168.0.0 (which is the remote network)

1) I placed my laptop's IP in the DMZ on my Dlink router (which I don't want to do)

2) Added a static route for the remote domain that points to the VPN tunnel IF (172.16.20.18)

It worked that way but my collegue didn't have to use DMZ, he doesn't have a route to the remote domain but he sees the ASA's IP as a gateway somewehere in the routing table.

If I take out the DMZ and then disconnect from VPN and reconnect, it doesn't work any more. So I need DMZ all the time and a permanent static route.

Can anyone help now with this new info?

ayiangoullis
Level 1
Level 1

UPDATE:

If I remove the DMZ and reconnect to VPN, it doesn't work for a while. After 3-4 minutes I can ping the network.

For me, this doesn't make any sense, please drop in some knowledge.

Porvided that Dlink is the only fw-router in your LAN I would suggest to check with Dlink support page , or support line, check Dlink current firmware and any firmware update release notes for issues with vpn.

Regards

Jorge Rodriguez
Review Cisco Networking for a $25 gift card