06-18-2013 05:51 AM - edited 02-21-2020 06:58 PM
HI, i am trying to create a remote access vpn on our 5520 but i am currently unable to pass traffic. The vpn client authenticates correctly but I am seeing no traffic decap
sh ipsec sa user *username*
username: jdyson
Crypto map tag: def_cryp_map, seq num: 65535, local addr: x.x.x.x
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.149.1/255.255.255.255/0/0)
current_peer: y.y.y.y, username: *username*
dynamic allocated peer ip: 172.16.149.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
windows routing table on the client looks like this
route: 10.0.0.0 mask: 255.0.0.0 gw: 172.16.149.2 int: 172.16.149.1
ipconfig results
IPv4 Address. . . . . . . . . . . : 172.16.149.1
Subnet Mask . . . . . . . . . . . : 255.255.255.224
default gateway:....................:
relevant config:
ip local pool SSS-pool 172.16.149.1-172.16.149.31 mask 255.255.255.224
crypto map outside_map 65535 ipsec-isakmp dynamic def_cryp_map
crypto map outside_map interface outside
tunnel-group SSSVPN type remote-access
tunnel-group SSSVPN general-attributes
address-pool SSS-pool
authentication-server-group Radius
default-group-policy SSSGrpPolicy
password-management password-expire-in-days 5
tunnel-group SSSVPN ipsec-attributes
pre-shared-key *****
group-policy SSSGrpPolicy internal
group-policy SSSGrpPolicy attributes
dns-server value 172.16.140.100 172.16.140.101
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSSVPNTunnelList
access-list SSSVPNTunnelList extended permit ip object-group rfc1918_addresses 172.16.149.0 255.255.255.224
any help appreciated
06-18-2013 06:04 AM
Hi,
I am not quite sure why the Windows "route print" output shows the the Gateway would be "172.16.149.2" while it actually should be "172.16.149.1" which is the IP address you have gotten from the VPN device.
This would though explain why we arent seing anything on the VPN devices counters.
Though I am not sure why the gateway would be different from the VPN Pool IP address.
Here is an example of the output from one of my old VPN Client connections
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.6.63.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Active Routes:
Network Destination Netmask Gateway Interface Metric
172.16.255.0 255.255.255.0 10.6.63.2 10.6.63.2 1
- Jouni
06-18-2013 06:29 AM
Thank Jouni, I expected to see the same thing and i'm a little perplexed as to how this is happening.
06-18-2013 06:45 AM
Hi,
What is the client OS and internet connection you are using? If it is Windows 7 64 bit using 4G connection, this is bound to happen. There is no support for WWAN adapters using CIsco Ipsec lcient.
Do see the same behaviour for Windows XP and Windows 7 32 bit machines as well.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
06-19-2013 12:05 AM
The OS is win7 64bit. This is a VM bridging out onto my LAN adapter. We have the same symptoms on host computers as well.
06-28-2013 07:01 AM
Fix was to enable nat-traversal on the asa.
Strangley, our mac clients would work successfuly but windows failed which was confusing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide