Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
3
Replies

VPN client to PIX over ADSL problem

milan.kulik
Level 10
Level 10

‎12-29-2004 01:34 AM - edited ‎02-21-2020 01:31 PM

Hi,

I've installed IPSec remote VPN connection to PIX using Cisco VPN client 4.6.

Everything works fine:

User dials to the Internet, receives an IP address from his ISP, connects to the PIX, authenticates to TACACS server and is able to connect to the headquarters network.

BUT one of my users uses an ADSL connection to the Internet instead of dialing. And he complains that often it takes up to 10 minutes to be able to get into the headquarters network.

Details: He receives the xauth prompt, types his password, password is accepted and the VPN client window minimized - so it looks he's connected OK.

But when trying to Ping to any headquarters server - no reply. The strange thing is after some time (cca 5 minutes) everything works fine.

I thought it might be an MTU problem. So I decreased MTU to 1300 bytes on PIX and also on the client. But no progress.

The ADSL router used is Lucent Cellpipe-22A-BX.

My PIX is running 6.3(4) with NAT-traversal enabled.

There has to be something wrong with the ADSL connection. When the user dials from the same PC to the Internet, everything works fine...

Any idea?

Thanks,

Milan

Labels:
0 Helpful
3 Replies 3

ehirsel
Level 6
Level 6

‎12-29-2004 08:55 AM

How is the user doing the ping - by name or ip address?

Do you allow for split-tunnelling?

There may be an issue with dns unqualified name resolution when using the adsl connection, so have the user try this test when connecting by adsl:

1. Once authenticated, open a command prompt windo and run the ipconfig /all command and list all connection specific dns suffixes, and the dns search order.

2. Have the user run these commands:

nslookup serverxyz

nslookup serverxyz.domain (where serverzyz and domain are the host and dns domain at the pix network site).

See if there is any difference in the nslookup answers, and if you note anything wrong in the dns info.

I think that after 5 min. everything works okay as the win client dns cache as the answeres, thus removing the need for more dns lookups.

One item I noted in my environment is that for ms win 2000 clients, the dns setting use parent or pri connection does not work, and we had to add an explicit search order.

Let me know if this helps.

0 Helpful

milan.kulik
Level 10
Level 10
In response to ehirsel

‎12-29-2004 11:08 PM

Thanks for the idea, but I'm afraid this is not a DNS problem.

The ping is done by IP address.

Split tunneling is not allowed.

The problem is also hardly reproducible:

I tried to start debug on my PIX console and asked the user to login. Everything worked OK, the delay between xauth password accepted and a successful ping was about 20 seconds.

This happened three times.

The user says it's better now, the delay is under two minutes.

But still there is some delay which I think should not exist at all.

Regards,

Milan

0 Helpful

ehirsel
Level 6
Level 6
In response to milan.kulik

‎01-01-2005 06:21 PM

Try this: Have the user run the netstat -rn command two times after they connect via ADSL, once before they launch the vpn client and once afterward. If that is not possible, then run it after they connect. I wonder if there is a route table entry that still points to the user's local lan instead of the corp. network.

Let me know what you find.

0 Helpful
Customers Also Viewed These Support Documents