Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1494
Views
0
Helpful
2
Replies

Cisco IPSec Client Failing over Aircard -> ASA5510

mmedwid
Level 3
Level 3

‎01-21-2011 05:27 PM - edited ‎02-21-2020 05:06 PM

vpnclient-winx64-msi-5.0.07.0290-k9 client running on Win 7 has created VPN tunnels to Cisco ASA 5510 for months suddenly stops working today.  No changes to the firewall in two weeks and even then nothing that would impact VPN.  ASA code version 8.2(1)11. 
Licencing good:
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled

Total VPN Peers                : 250

What happens is the IPsec tunnel establishes.  But then the client appears to not be able to encrypt any of the traffic from PC to the LAN.  Some client systems succeed (like mine for instance) and the logs in the Cisco client look like below:

16     16:11:24.036  01/21/11  Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.10.6.51

17     16:11:24.036  01/21/11  Sev=Info/4 IPSEC/0x63700037
Configure public interface: 75.208.1.230. SG: 6.7.154.36

18     16:11:24.919  01/21/11  Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0x5d624954 for inbound key with SPI=0x859ac5b1

But...for those who fail log entries similar to #17 and #18 are absent.  Not that those who fail can VPN no problem over WiFi or over LAN.  Just over AT&T or Verizon aircard they fail.  But I (and others) succeed over these nets. 

I will add a screen grab of that shows packet discards at failing clients.  At this point I am at a loss if this is a client issue or something going on with the ASA.  Any thoughts on how to nail this down?  Unfortunately the latest client from Cisco vpnclient-win-msi-5.0.07.0410-k9 is not available in 64 bit to try out. 

Labels:
Preview file
18 KB
0 Helpful
2 Replies 2

Ankur Bajaj
Cisco Employee
Cisco Employee

‎01-21-2011 05:49 PM

Hello,

Is split tunneling enabled on the head end or is it tunnel all.

If in case split tunneling is enabled then can you try with tunnel all with a new profile and see if that makes a difference ( this is on the ASA part ).

From the client perspective, install wireshark software on the system, and see if the packets are handed over to the virtual adapter.

If it is handed over, and not getting send, please uninstall the re-install the vpn client.

Regards

Ankur Bajaj

0 Helpful

mmedwid
Level 3
Level 3
In response to Ankur Bajaj

‎01-21-2011 07:04 PM

All the users are using a split tunnel - both the FailUsers and SucceedUsers.  But I did have one of the FailUsers try a non-split-tunnel group to see if it made a difference.  It did not.

We've tried uninstalling and reinstalling the client several times.  In fact I had one user remove the aircard and drivers and the IPsec client.  Then reinstall from the bottom up.  And no improvement.  Then I had this same user downgrade to an earlier beta 64 bit client subrevision 0240.  But again still no go.

The wireshark is a good thought. 

0 Helpful
Customers Also Viewed These Support Documents