Discussion: What could interfere with a stable EZVPN client connection?

cclarkacs · ‎01-05-2011

I realize the likely answer is "firewall". But I don't know anything specific that might help me toward a solution such as ports used, etc.

Here's the situation. I have a small remote office in another country that recently re-located. They have a 871 router that is configured to make a EZVPN connection to a 2811 router in the home office. The EZVPN client is configured in network-plus mode so they are supposed to be able to connect to resources in the home office and vice-versa.

Prior to the move the setup worked. Nothing has changed in the config of the home office or remote client router. In the new location they have a different ISP and being a short-term corporate suite rental the connection is shared with other tenants so its probably managed by the leasing company. Their router makes the VPN connection and the tunnel is stable (it was not at the previous location). I can ping their router and all machines on their LAN from the home office. An IP phone they have that is based off a PBX in the home office works (outbound and inbound calls). Beyond that nothing else works. I cannot connect to their file server (although I can ping it) and they have the reverse problem. I cannot SSH to their router. I cannot connect via VNC to their computers. They cannot connect to my file servers.Their IP phone CAN connect to my PBX.

I'm thinking something on their new ISP network is blocking return VPN traffic, but its puzzling to me why the IP Phone would continue to work when nothing else does. My only thought about that is that perhaps because the IP phone is an ongoing, remote-side-initiated session that it would be permitted by whatever rules are blocking everything else. But given that the IP phone traffic goes across the stable VPN tunnel how would the filter even distinguish that?

Jennifer Halim · ‎01-05-2011

Base on your explaination, it seems that only TCP traffic through the VPN tunnel is not working. You are right with your statement of it should not be filter on the ISP side because all they will see if the encrypted traffic (VPN tunnel), what is inside the tunnel should not be visible to them at all.

The fact that ping works and also ip phone works is because ping is icmp, and ip phone rtp stream is UDP.

The rest of the application that you mention is TCP base. I would test by adjusting the TCP MSS on the 871 LAN interface to a lower value:

ip tcp adjust-mss 1300

And test the connectivity again. Please also see if you are able to telnet on tcp port using CMD prompt. For example: telnet on port 22 to the router, or telnet on the file server port to the file server. See if you are getting the prompt, if you do, that means connectivity is there.

cclarkacs · ‎01-06-2011

Jennifer, thank you for your quick and thorough reply. I spent much of the morning beating my head against a wall trying to figure out

why, upon further investigation, the remote site could contact resources through, but not at, the home office that was terminating the VPN connection. I have no out-of-band access to this remote router so when I found that I could contact it via a 3rd site network I found that it could communicate with the third site fine but not with the "middle" site, which is where the 2811 router is.

Once I looked at the route tables for the remote router I realized what the problem is: the subnet that the landlord has provided in the shared building is the same as the subnet on the remote (my home office) network. So with this being the case the router never forwards traffic for 192.168.1.0/255 over the VPN and instead tries to push it out the WAN port.

Is there a VPN mode to bypass this problem? I'm considering throwing another NAT router between the 871 and the landlord's network but I hate to add physical layers...

Jennifer Halim · ‎01-06-2011

No, there is no way to bypass that particular issue from the vpn point of view.

How hard would it be to change the LAN subnet to a unique subnet? You mention home office, so I guess it wouldn't be too hard to change it to a new unique subnet?