Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
3
Replies

PIX remote access VPN error msg

sikkander
Level 1
Level 1

‎02-14-2005 01:10 AM - edited ‎02-21-2020 01:36 PM

Hi Folks!!!

I hv configured remote access ipsec VPN using PIX-515E(3DES & MD5 used) This has been primarily configured for accessing a webserver which is in the internal network.I hv checked the access thru dialup connection & checked the access to the webserver & it is working OK.

One of our client has tried accessing the webserver thru the remote access VPN which we hv setup as above & was successfully able to establish the Ipsec VPN tunnel but when he tries to access the webserver he is not able to access it.The client is using his home broadband connection to check the webserver access.

Attached below the PIX log msg

%PIX-6-302013: Built inbound TCP connection 124305969 for outside:10.120.77.2/1097 (10.120.77.2/1097) to inside:192.168.10.23/80 (192.168.10.23/80) (ABC_check)

%PIX-6-302014: Teardown TCP connection 124305969 for outside:10.120.77.2/1097 to inside:192.168.10.23/80 duration 0:02:01 bytes 0 SYN Timeout (ABC_check)

The above logs gives SYN Timeout as the reason but not able to figure out why this timeout is generated & why the client is not able to access the webserver eventhough we hv checked the same access thru a dialup connection

Folks!! require ur help to get this resolved..

Thanx in advance..

Cheers

SS

Labels:
0 Helpful
3 Replies 3

milan.kulik
Level 10
Level 10

‎02-14-2005 02:30 AM

Hi,

is the user able to ping or connect to any destination in the internal network?

If yes and the only TCP connection fails, I'd check MTU , e.g. (if his home broadband connection is via ADSL).

Regards,

Milan

0 Helpful

sikkander
Level 1
Level 1
In response to milan.kulik

‎02-14-2005 02:43 AM

Hi !!

When the client access the webserver using the remote access VPN thru broadband(uses cisco vpn client) he is neither able to ping or trace route the internal ip's though it is allowed in the pix fw.If the ping/traceroute test is done thru dialup connection it works,also the webserver is accessible

Cheers

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to sikkander

‎02-14-2005 03:58 PM

If he's on ADSL then his traffic is probably being PAT'd, and this is causing issues with the IPSec traffic (which is non-UDP/TCP based and a lot of devices have trouble PAT'ing this type of traffic).

On the PIX use the following command:

isakmp nat-traversal

This will enable NAT-T on the PIX, and the PIX and client will then negotiate at tunnel start-up to encapsulate the IPSec packets into UDP packets, which then should be able to be PAT'd correctly by your users broadband device.

0 Helpful
Customers Also Viewed These Support Documents