01-21-2011 05:27 PM - edited 02-21-2020 05:06 PM
vpnclient-winx64-msi-5.0.07.0290-k9 client running on Win 7 has created VPN tunnels to Cisco ASA 5510 for months suddenly stops working today. No changes to the firewall in two weeks and even then nothing that would impact VPN. ASA code version 8.2(1)11.
Licencing good:
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Total VPN Peers : 250
What happens is the IPsec tunnel establishes. But then the client appears to not be able to encrypt any of the traffic from PC to the LAN. Some client systems succeed (like mine for instance) and the logs in the Cisco client look like below:
16 16:11:24.036 01/21/11 Sev=Info/4 IPSEC/0x6370002F
Assigned VA private interface addr 10.10.6.51
17 16:11:24.036 01/21/11 Sev=Info/4 IPSEC/0x63700037
Configure public interface: 75.208.1.230. SG: 6.7.154.36
18 16:11:24.919 01/21/11 Sev=Info/4 IPSEC/0x63700019
Activate outbound key with SPI=0x5d624954 for inbound key with SPI=0x859ac5b1
But...for those who fail log entries similar to #17 and #18 are absent. Not that those who fail can VPN no problem over WiFi or over LAN. Just over AT&T or Verizon aircard they fail. But I (and others) succeed over these nets.
I will add a screen grab of that shows packet discards at failing clients. At this point I am at a loss if this is a client issue or something going on with the ASA. Any thoughts on how to nail this down? Unfortunately the latest client from Cisco vpnclient-win-msi-5.0.07.0410-k9 is not available in 64 bit to try out.
01-21-2011 05:49 PM
Hello,
Is split tunneling enabled on the head end or is it tunnel all.
If in case split tunneling is enabled then can you try with tunnel all with a new profile and see if that makes a difference ( this is on the ASA part ).
From the client perspective, install wireshark software on the system, and see if the packets are handed over to the virtual adapter.
If it is handed over, and not getting send, please uninstall the re-install the vpn client.
Regards
Ankur Bajaj
01-21-2011 07:04 PM
All the users are using a split tunnel - both the FailUsers and SucceedUsers. But I did have one of the FailUsers try a non-split-tunnel group to see if it made a difference. It did not.
We've tried uninstalling and reinstalling the client several times. In fact I had one user remove the aircard and drivers and the IPsec client. Then reinstall from the bottom up. And no improvement. Then I had this same user downgrade to an earlier beta 64 bit client subrevision 0240. But again still no go.
The wireshark is a good thought.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide