Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
9
Helpful
4
Replies

Problem with Cisco VPN behind an IOS firewall

alalli
Level 2
Level 2

‎11-03-2004 08:22 PM - edited ‎02-21-2020 01:25 PM

Good Day,

I have a Cisco VPN client that is connecting to a PIX firewall via IPSec using ESP in tunnel mode.

The client PC is being PAT to the outside interface IP address assigned by the Internet Provider.

The VPN tunnel connects first time every-time.

The problem is that, initially, we are not able to use the SAP R/3 application over the VPN tunnel.

If we run a ping first, usually the ping will timeout, but will then succeed.

After that, the SAP R/3 application works fine.

any ideas or help is gratefully appreciated,

regards,

alalli@iinet.net.au

amanda@moncrieff.com.au

Labels:
0 Helpful
4 Replies 4

ehirsel
Level 6
Level 6

‎11-07-2004 08:06 PM

I assume that this is your topology:

Client --- IOS FW --- Inet --- PIX --- SAP Server

Is that correct?

What parameters did you run with the ping command? Or did you just run ping with no parms?

I suspect that path mtu discovery may have a role in this. At the vpn client, run the set mtu utility and set the virtual adapter to an mtu of 1300, and set the phy adapter to 1400 and then see if you can connect to the SAP without running the ping command first.

Let me know how it proceeds.

alalli
Level 2
Level 2
In response to ehirsel

‎11-08-2004 02:04 AM

Hi and Thanks very much :)

I did not run any parameters with the ping.

It simply timed out and then we were able to ping again and it worked.

In the end, the folks at the distant end PIX set ISAKMP NAT-T.

I had thought this was done before we ever got started, but apparently it was not.

As to the MTU, hmmm.... i had better remember that as something to check .... thanks very much :)

0 Helpful

pkapoor
Level 3
Level 3
In response to alalli

‎11-09-2004 09:22 AM

Did you try connecting with the SAP only once before running the ping? If not, then try connecting twice. It could be that because the IPSec SA is not established the first time, the first attempt of the SAP application times out......maybe the second one will connect.

alalli
Level 2
Level 2
In response to pkapoor

‎11-09-2004 01:18 PM

Hi, and thank you for taking the time to give me that suggestion.

Trouble is that the issue seems to have been resolved by a configuration change on the PIX at the remote end. Apparently the connections are now seemless and word everytime.

I would have liked to have a little more time with the equipment, but it has all gone back into production.

thanks very much for your answer because it makes sence and i will look to try it the next time...

0 Helpful
Customers Also Viewed These Support Documents