01-27-2011 05:41 AM
Hi Forum.
We're stuck with this problem: After successfully opening a VPN-Connection with the Cisco VPN-Client to a Cisco-Router, the rest of the World cannot be properly accessed anymore.
This is what was checked / tried so far to pinpoint the problem on a Windows Vista Machine:
- Router: Split-Tunneling is allowed according to sysop
- On the VPN-Client: "Allow Local Lan-Access" is checked
- On the Client (Statistics): Only the configured VPN-Rout ist listed unter 'Secure Routes'. 'Local Lan Routes' is empty.
- Calling 'http://www.google.com' in IE fails
- Calling '74.125.232.116' (it's IP) in IE works / Pinging the IP works.
- nslookup correctly lists the current DNS-Server
- nslookup www.google.com correctly resolves the Name to the IP
It seems that it's not that the connection to the rest of the Internet is Suppressed, but that the DNS-Resolution somehow fails, although all signs indicate the the correct DNS-Server is in effect and although the commandline can resolve the name.
does anyone have a hint how to debug this properly?
Solved! Go to Solution.
02-02-2011 10:14 AM
No worries Pat...
Sent from Cisco Technical Support iPhone App
--please rate the solutions
01-27-2011 06:50 AM
Hey Pat,
How about trying it with a different browser than IE?
Sent from Cisco Technical Support iPhone App
01-27-2011 08:17 AM
Hi Gino.
Sorry for having it put into so simple examples and let me correct this: ALL applications seem to have this kind of problem!
- Thunderbird (cant connect to mailbox)
- IE
- Firefox
- Winamp
etc...
interesting enough, the commandline/shell still sees the correct DNS-Server. So I'm really not sure wether the problem lies within the adress resolution OR the routing... It seems to me though, that the effect gradually kicks in and affects locations that have not been 'visited' in a while. Eg: an already playing winamp-stream or skype-session continue 'playing', while in the meantime browsers & email-client can't connect to new servers anymore...
01-28-2011 02:47 AM
Small addition:
To eliminate network issues, we just tried a Mac with 'Cisco IPSec' and everything worked out fine... so it seems to be a vista (or windows) issue...
any tips?
01-30-2011 10:37 AM
1. Is it happening on all windows pc?
2. Can you collect the event logs when trying to browse after connecting to VPN, and attach it?
3. Are you pushing any domain name through the VPN?
Sent from Cisco Technical Support iPhone App
01-31-2011 07:47 AM
1: Tested on the single Vista-Machine only. Could run a test on WinXp.
2: Which logs:
- Routerlogs
- Windows Events (if yes, which exactly?)
- Cisco-VPN-Client Logs (if yes, where are they)?
(Can i mail them so i don't have to post potential sec-risks?)
3. No, no domain-Names are pushed. Target is a small DMZ with essentially a single Box.
01-31-2011 09:27 PM
-- Wrong post updated.
Message was edited by: Ramya D.S
02-01-2011 12:29 AM
Hey Pat,
1. Can you please test if from winXP?
2. Please send me a PM with the logs attached, through the CSC mail.
3. Would you be able to uninstall the client and reinstall. Use Windows cleanup utility to do a clean uninstall.
@ Ramya,
No problem.
02-01-2011 11:00 PM
Ok... here's that:
We had checked the routing table with "netstat -r" and DNS-entries before. According to the sysadmin it all looked "ok" (needless to say that we seem to be missing something there)...
So I wanted to triple-check yesterday and when starting the VPN-Client it did not start but instead went into the MSI installation routine trying to find the original installer to pull something out from. But since that got moved/deleted, the client was not able to start again... Is that normal behaviour?
Needless to say that the box is virus-safe (avast) and malware-free (antibyte), windows defender is on...
any help appreciated..
02-01-2011 12:46 AM
Hi pat,
I would suggest that you check your machine routing configuration using route -4 print in cmd.exe so that you would see if split tunneling is applied or not.
you can as well force routing, for example use (cmd.exe must be run as admin)
route ADD 8.8.8.8 MASK 255.255.255.255 X.X.X.X (X.X.X.X is your default gateway), then ping 8.8.8.8 (it is Google DNS)
route will be deleted after reboot or use route delete 8.8.8.8 ...
Regards,
Bastien
02-02-2011 06:49 AM
Problem seems solved:
I uninstalled the VPN-Client and reinstalled a different version (5.0.07.0410): no more problems.
Routing table now looks different and one suspicious entry for 0.0.0.0 (which was double before) does not show up anymore.
02-02-2011 10:14 AM
No worries Pat...
Sent from Cisco Technical Support iPhone App
--please rate the solutions
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide