Troubleshoot multiple SAs with VPN client

jroyster · ‎03-28-2005

This is very unusual. The pieces involved are 3030 concentrator and VPN client.

There are two "internal networks", lets call them 172.16.0.0/16 and 172.19.0.0/16. When all works well for about 1000 users both networks are reachable with pings and web applications on various internal hosts. You can verify that two SAs are formed by looking at the client statistics - little keys are by the Security Association.

But for some users, maybe 5%, they cannot reach the second internal network 172.19.0.0/16. All users are setup the same with a standard imaging process.

Here's the kicker - upgrading the firmware on the problem users home network devices or DSL/Cable modem resolves the problem most of the time.

I'm thinking different SAs form different GRE tunnels which could cause problems with NAT or how a device handles protocol 50. We are running NAT transparency over UDP so I "thought" this shouldn't be a problem.

Any ideas or anywhere to look? I've checked all routing and it looks good. Once the tunnel is up the first internal network has no problems what so ever and again almost all of the time neither does the second one. But there is this nagging problem and its become very difficult to troubleshoot.

Thanks in advance.

matt-long · ‎03-30-2005

1 question and one suggestion.

Question: What VPN protocol are you using, PPTP or IPSEC?

Suggection, Is ther no way to supernet the 2 internal addresses so that they only represent one line in the acl, hence, 1 SA. If should not affect the routing as the the data will be decrypted and then forwarded on correctly.

jroyster · ‎03-30-2005

Thanks for the suggestion. I guess I could do one big summary.

The protocol is IPsec/ESP

steveg · ‎05-23-2005

This problem was resolved with an update of the VPN client software.