Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
604
Views
0
Helpful
3
Replies

Problem to reach a subnet through Cisco VPN client

francisco del cura ferreira
Level 1
Level 1

‎02-10-2014 07:26 AM

Good morning,

I configured a remote VPN in order to reach a subnet specific of my company, I connect across of Cisco VPN client. We suppose that this subnet has 2 IPs availables(10.10.10.2 and 10.10.10.3), when I connect to that subnet, sometimes I can do ping to the first address but the second no and then, I connect again to the VPN and the opposite occurs, the first IP can´t do ping but to the second IP yes. Sometimes I can do ping to all IPs of the subnet. This Subnet is inside of a VRF

Best regards,

Labels:
0 Helpful
3 Replies 3

Vasilii Mikhailovskii
Level 7
Level 7

‎02-10-2014 10:39 AM

Hello, Francisco.

Could you please share your configuration?

Are you sure that IP-addresses you are trying to ping are really on the subnet (you might be pinging some other devices with the same IP-addresses)?!

0 Helpful

francisco del cura ferreira
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎02-11-2014 02:15 AM

Hello,

This is de configuration:

aaa new-model

aaa group server radius Radius-PMS

server-private X.X.X.X auth-port 1812 acct-port 1813 key 70055415550

server-private X.X.X.X auth-port 1812 acct-port 1813 key 7  06575D7218

ip radius source-interface Loopback0

aaa authentication login default local

aaa authentication login vpn1 local


username xxxx privilege 15 secret 5 xxxxxxxxxxxxxxxx

crypto isakmp client configuration group VPN_VOIP

key xxxxxx

pool VPN_VOIP

acl VPN_VOIP


crypto isakmp profile VPN_VOIP

   vrf VPN_xxxxxxx_01

   match identity group VPN_VOIP

   client authentication list vpn1

   isakmp authorization list vpn1

   client configuration address initiate

   client configuration address respond

crypto ipsec transform-set strong-encryption esp-3des esp-sha-hmac

crypto dynamic-map VPN_VOIP 2

set security-association idle-time 86400

set transform-set strong-encryption

set isakmp-profile VPN_VOIP

reverse-route

crypto map Ipsec-Static-msspain 60 ipsec-isakmp dynamic VPN_VOIP

interface GigabitEthernet0/0.533

encapsulation dot1Q xxx

ip address X.X.X.X 255.255.255.0

no ip proxy-arp

ip accounting output-packets

ip virtual-reassembly max-reassemblies 1024

crypto map Ipsec-Static-msspain

ip local pool VPN_VOIP X.X.X.X X.X.X.X group VPN_VOIP

ip access-list extended VPN_VOIP

permit ip 10.10.0.0 0.0.255.255 any

Yes, I am sure because the IP is in range 10.10.10.0/24 and the ACL (VPN_VOIP) is /16. I ping to an IP of the range and sometimes don't.

Best regard,

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to francisco del cura ferreira

‎02-11-2014 09:33 AM

Hello.

Your configuration looks fine, but I see no other interfaces in the VRF mentioned.

(You might have stripped "aaa author network vpn1 local").

1. Could you please trace 10.10.10.2 (.3) from the client?

2. Could you please try to ping the address from the Easy VPN server during the issue?

PS: the issue could be in the ommitted part of your configuration.

PS2: could you provide statistics screenshot per two cases (when you can/can't ping the IP-address)?

0 Helpful
Customers Also Viewed These Support Documents