Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
319
Views
0
Helpful
3
Replies

Cannot connect to remote server unless...

milano008
Level 1
Level 1

‎12-28-2004 02:04 PM - edited ‎03-09-2019 09:52 AM

I have a 3002 VPN Client at one of our customer sites and a 3000 series concentrator at our site. I have configured the client to establish a tunnel to our concentrator as I have done identically with our other customers and when finished the "VPN" light goes green. From the customer site I can ping our concentrator. So I assume all is ok. Two days later I am back home and I cannot ping their server or the 3002. With one of their IT guys logged into the server he pings our concentrator. Immediately I am able to telnet to the 3002 and the remote server. Strange. Next day it is the same. I am unable to establish ANY kind of connection to the client until someone over there pings our network. I have been working with their network guy because my first inclination is that our 3002 is behind their firewall and it is not allowing an incoming connection from our network unless an outgoing connection to our network is made first. Then after some time the connection resets. The network guy tells me that our VPN is plugged into the "DMZ" port on the firewall. I thought the DMZ was "open" offering no protection. Am I wrong?

If we are in the "DMZ" what could the problem be?

If we are behind the firewall what could the problem be?

Thanks

Mark

Labels:
0 Helpful
3 Replies 3

jsivulka
Level 5
Level 5

‎01-03-2005 10:00 AM

The DMZ, like any other interface on the PIX, follows the rule that traffic from a lower security interface to a higher security interface is not allowed through unless explicitly permitted or if the traffic is in response to a connection initiated on the higher security interface. What you need to do is to explicitly permit this icmp traffic from the DMZ to the higher security inside interface. However, if I were you, I would not do that considering the terrific hole you will end up opening in your firewall.

0 Helpful

milano008
Level 1
Level 1
In response to jsivulka

‎01-03-2005 11:09 AM

Here is some new information:

It seems to have nothing to do with what server initiates the communications. I have setup a CRON job on my local Unix workstation that pings the VPN client every ten minutes. The result is at 8:14am it connects. At 8:24am no connection. No connection again until 9:14am. This pattern continues for hours.

Mark

0 Helpful

milano008
Level 1
Level 1
In response to milano008

‎01-05-2005 06:06 PM

Here is even more information:

I have enabled debug logging on the Concentrator and have had it logging this way for only a few hours and I have noticed that for all of our clients I see the following:

-----------------------------------------------------

Jan 5 17:57:08 bifrost 69442 01/05/2005 18:02:09.940 SEV=9 IKEDBG/36 RPT=1669 64.179.xx.xx Group [vestacare] User [cyp] Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x60aee635)

-----------------------------------------------------

I see this for all our clients except the one that keeps dropping the connection. What do I need to do now?

Thanks

Mark

0 Helpful
Customers Also Viewed These Support Documents