cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
616
Views
0
Helpful
5
Replies
Highlighted
Beginner

No traffic passing through 5520 remote ipsec vpn

HI, i am trying to create a remote access vpn on our 5520 but i am currently unable to pass traffic.  The vpn client authenticates correctly but I am seeing no traffic decap

sh ipsec sa user *username*

username: jdyson

    Crypto map tag: def_cryp_map, seq num: 65535, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.16.149.1/255.255.255.255/0/0)

      current_peer: y.y.y.y, username: *username*

      dynamic allocated peer ip: 172.16.149.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

windows routing table on the client looks like this

route: 10.0.0.0       mask: 255.0.0.0    gw: 172.16.149.2    int: 172.16.149.1

ipconfig results

IPv4 Address. . . . . . . . . . . : 172.16.149.1

Subnet Mask . . . . . . . . . . . : 255.255.255.224

default gateway:....................:

relevant config:

ip local pool SSS-pool 172.16.149.1-172.16.149.31 mask 255.255.255.224

crypto map outside_map 65535 ipsec-isakmp dynamic def_cryp_map

crypto map outside_map interface outside

tunnel-group SSSVPN type remote-access

tunnel-group SSSVPN general-attributes

address-pool SSS-pool

authentication-server-group Radius

default-group-policy SSSGrpPolicy

password-management password-expire-in-days 5

tunnel-group SSSVPN ipsec-attributes

pre-shared-key *****

group-policy SSSGrpPolicy internal

group-policy SSSGrpPolicy attributes

dns-server value 172.16.140.100 172.16.140.101

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SSSVPNTunnelList

access-list SSSVPNTunnelList extended permit ip object-group rfc1918_addresses 172.16.149.0 255.255.255.224

any help appreciated

Everyone's tags (2)
5 REPLIES 5
Highlighted
Mentor

No traffic passing through 5520 remote ipsec vpn

Hi,

I am not quite sure why the Windows "route print" output shows the the Gateway would be "172.16.149.2" while it actually should be "172.16.149.1" which is the IP address you have gotten from the VPN device.

This would though explain why we arent seing anything on the VPN devices counters.

Though I am not sure why the gateway would be different from the VPN Pool IP address.

Here is an example of the output from one of my old VPN Client connections

        Connection-specific DNS Suffix  . :

        IP Address. . . . . . . . . . . . : 10.6.63.2

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . :

Active Routes:

Network Destination             Netmask               Gateway            Interface       Metric

     172.16.255.0              255.255.255.0             10.6.63.2            10.6.63.2       1

- Jouni

Highlighted
Beginner

No traffic passing through 5520 remote ipsec vpn

Thank Jouni, I expected to see the same thing and i'm a little perplexed as to how this is happening.

Highlighted
Cisco Employee

No traffic passing through 5520 remote ipsec vpn

Hi,

What is the client OS and internet connection you are using? If it is Windows 7 64 bit using 4G connection, this is bound to happen. There is no support for WWAN adapters using CIsco Ipsec lcient.

Do see the same behaviour for Windows XP and Windows 7 32 bit machines as well.

Regards,

Varinder

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
Highlighted
Beginner

No traffic passing through 5520 remote ipsec vpn

The OS is win7 64bit.  This is a VM bridging out onto my LAN adapter.  We have the same symptoms on host computers as well.

Highlighted
Beginner

No traffic passing through 5520 remote ipsec vpn

Fix was to enable nat-traversal on the asa.  

Strangley, our mac clients would work successfuly but windows failed which was confusing