01-18-2007 07:49 AM - edited 02-21-2020 02:49 PM
I am using a cisco 2811 running the easy vpn server. I have two
clients located in different states with different isp's who can
connect but cannot send or recieve. One client in florida was able to
access everything for months after system was set up then suddenly it
just stoped working. No changes were made to software or hardware on
2811. When i attempt to test the connection myself it always works.
The other client in DC was able to connect before going to DC. They
both have diffent isp's both are high speed connections. Anyone have
an idea.
Thanks,
01-24-2007 07:17 AM
Try this:
1. Connect with the client then do a "show crypto ispec sa" on the router. Find the SA
assigned to you ( it will show the ip address that you were assigned to from the pool ).
In there you will see "encrypts" and "decrypts" .
Assuming you see decrypts but no encrypts, the problem is either going to be with NAT or
with the network not knowing where to route traffic destined for the network you specified
in the vpn Pool.
2. Check and make sure NAT 0 is setup to bypass traffic between the LAN network and the
VPN client pool network.
3. Verify the local Lan knows to send traffic destined for the VPN pool to the Router.
4. check port no udp 500 is allowed or not
01-24-2007 07:22 AM
Could you verify if DC user has opened UDP ports 500 and 4500 for his Internet connection???
Blocked port UDP 4500 brings problems when NAT is used
M.
01-31-2007 11:38 AM
Figured it out thanks for the help but turns out was an incompatability with the dell wireless network adapter that was causing the problem not with the vpn client or config. THanks again for the feedback and help.
02-06-2007 08:24 PM
Check the MTU size on the client. I have seen the same problem using the VPN 3030. Changing the Client MTU 1300 has fix the problems for use.
02-07-2007 01:43 PM
I saw the same behavior with connectivity to ASA 5540 with Cisco client 4.8. I could login with client but could not connect to anything. 'show crypto ipsec sa' showed my security association with packets decrypted, but none encrypted. A static route for the ip address pool was present on the inside. When I changed my MTU setting to 1300 for my 'local area connection' through the client MTU application (program files > cisco vpn client > Set MTU) I was able to connect to stuff on the inside of the ASA. Very strange as earlier in the day from this same PC and using same LAN connection I had been able to login and access stuff on the inside just fine. I intend to do more research into this, but does anyone have any comment on this? I'm very puzzled.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide