cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2470
Views
0
Helpful
13
Replies

Remote access VPN problem

maziusas1
Level 1
Level 1

Hello,

I have a problem with Remote Access VPN, client says, that he can connect to VPN, but can not connect via ssh to my network address. I try to connect the same client VPN via my Android phone, connection was successful, and i successfully can connect to my network address. There can be a problem?

I use Cisco ASA 5555 client use Cisco Systems VPN Client, we try to use other client, but result is the same.

Also client send my VPN log and find this error:

AddRoute failed to add a route with metric of 0: code 160

Is problem in the client computer or network, or problem can be in my ASA configuration?

1 Accepted Solution

Accepted Solutions

I told the customer to reinstall the program. We also try from computer, from the outside connect to these address, VPN tunnel is created successfully, but we can not connect to inside IP addresses, connection only works with Android device.

View solution in original post

13 Replies 13

I think the problem is with the client.  I suggest:

1. Uninstall the Cisco Remote Access VPN client

2. Reboot the PC

3. Install the Cisco Remote Access VPN client

4. Reboot the PC

5. Test the VPN connection

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I told the customer to reinstall the program. We also try from computer, from the outside connect to these address, VPN tunnel is created successfully, but we can not connect to inside IP addresses, connection only works with Android device.

Have you tested it with any other PC?

Once the vpn is connected, you could run wireshark on the vpn adapter and the local adapter to see what path the packet is taking. By that you will be able to determine if the packets are getting encrypted or not.

If the packet is taking the Local circuit instead of the VPN adapter then try reinstalling the client as suggested by Marius.

If the packets are going through the VPN interface then do packet captures on the inside of the ASA to see if the packets are being sent out.

Also try doing asp drop capture that will show you if the ASA is dropping the packets in flow.

#capture asp type asp-drop all

#show cap asp | in <client IP>

You could also check the decrypt counts to see if the tunnel is decrypting any packets.

#sho crypto ipse sa peer <client's public ip>

If the decaps are 0 then try to do esp capture on the outside of the ASA to see if you receive any esp packets or port 4500 packets on the outside from this client PC.

#capture capout interface outside match ip host <ASA's WAN IP> host <client's public IP>

#show cap capout

 

Please remember to select a correct answer and rate helpful posts

Raja Periyasamy
Level 1
Level 1

After getting Connected, what type traffic are you trying to send over the tunnel to your internal IP? What device is this IP on? 

Check the Route Details on the client under Statistics after connecting and check if all the subnets on the split acl are getting populated there.


The client try to connect to the server via ssh port 22. 
Then the client connect in the routes is aded this information:
   172.17.134.2  255.255.255.255         On-link   192.168.201.212     31      server ip address
    172.17.134.15  255.255.255.255         On-link   192.168.201.212     31    server ip address
  192.168.201.212  255.255.255.255         On-link   192.168.201.212    286    client local IP adrress in my network
   213.X.X.X  255.255.255.255          10.10.64.201      10.10.64.71     11    VPN address

In my network default gateway is 192.168.200.253 but in some reasons I thin that VPN take default gateway 192.168.201.212

Are you tunneling all traffic or do you have split tunneling configured?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

I have configured split tunneling to these IP address 172.17.134.2 and 172.17.134.15.

You say the connection was successful from PC and Android phone,  What device is the client using?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

No. connection was successful only from Andoid phone, client is using PC.

I suspect that something is wrong with the customer's computer or his network ...

Was the Android phone connected to the client's Wireless or was it connected via the phone providers internet service?  could very well be that the client network is blocking port 500 and 4500.

can your client test with a laptop from within the network and outside the network (from his/her home for example)? if the client fails to connect while inside the network but is able to connect from home, it is definately the client network.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Now we really know, that the problem is in the client side, because we try to connect from the home, VPN connection and ssh connection was successful. 

Client say, that he trying to connect from the different computers, but result is the same, vpn connection is successful, but ssh not connected.

What other problems apart ports blocking can be?

Do they do any kind of deep packet inspection at your client's network?

Normally if you establish a VPN from within a network it will pass through all network devices encrypted and the payload should not be touched.

Are you sure that the client is getting an IP address through the VPN when he/she is located within the network?  That would be worth checking out, as I have seen in some very rare cases that the VPN seems to connect but the client is not issued an IP.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

We solved the problem, from the home we connected with laptop, with windows xp, and client using windows 7, this is windows 7 problem, some updates is blocking connection.

Thank you for the help and discussion :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: