Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
419
Views
2
Helpful
2
Replies

strange problem -some VPN users no longer able to connect to inside network

mitchen
Level 2
Level 2

‎06-09-2006 03:33 AM - edited ‎02-21-2020 02:27 PM

Hi,

for months (if not years!) our users have been happily connecting over the VPN to our corporate HQ.

However, this morning, we encountered a strange problem that only seemed to affect a few users.

The users complained that they had got authenticated over the VPN ok but could not access anything inside our network.

Meanwhile though, other users were connected happily, as normal.

When I ran a "sh uauth" on the PIX515E firewall running 6.3(5) that we have, I could see the "working" users were authenticated with an IP address allocated correctly from our IP address pool.

The "problem" users were also showing as authenticated - however, instead of having an IP address from the pool, the IP address was still showing as their own public IP address.

There were plenty spare addresses in the address pool so there were definitely addresses available to be allocated.

For the problem users, if they checked their IP config, it appeared to them that they HAD got allocated an address from our pool - but, for some reason, the PIX did not seem to recognise that it had allocated an address to them - therefore, no traffic could be routed from our network to these particular users.

I carried out a reboot of the PIX and the problem was resolved.

Nothing had been changed on the PIX config and there didn't seem to be any pattern to the users affected (eg some were using their home broadband connection, some using 3G cards - meanwhile other users were connected without problem via the same methods)

Does anyone know any more about what this problem was and why it should suddenly have affected us?

Is there any other way to resolve it? i.e. something less drastic than a complete reboot?

Thanks.

Labels:
0 Helpful
2 Replies 2

m.sir
Level 7
Level 7

‎06-09-2006 04:28 AM

It looks like NAT traversal issue

Try ond firewall following command:

PIX(config)# isakmp nat-traversal 20

M.

Hope that helps , rate if it does

mitchen
Level 2
Level 2
In response to m.sir

‎06-09-2006 05:02 AM

Hi,

thanks for the help - I had also checked in case it was a NAT Traversal issue and this command was already in the PIX config when we experienced the problem.

I don't think this can be a configuration issue at all as things just suddenly stoppped working for some users, not others, and there had been no change to the config.

A reboot sorted it out - but the config before and after the reboot is exactly the same.

Its a very strange issue!

0 Helpful
Customers Also Viewed These Support Documents