Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
5
Replies

VPN Clients unable to access LAN after connection is made

srkrehlik
Level 1
Level 1

‎01-10-2011 10:48 AM

Hello everyone,

I had an unusual circumstance come up on an older PIX 525 (6.3(5)) recently and was wondering if anyone has seen this behavior before or possibly has a solution that is better than mine.

On a recent remote site visit we made a connection to our main office using ver 4.9 of the Cisco VPN Client for OS X. While we were working on a server, the macbook went to sleep shutting down the network interface the VPN Client was using.

From that point forward we were unable establish any layer 3 connectivity to the LAN in out main office using that PIX as a VPN head end. Any connections that were attempted to that firewall would complete and be assigned a client IP from the correct pool but without access to the LAN on the inside interface.

We tested this from multiple external locations using multiple systems, cleared SA's and even debugged IKE and IPSEC using an alternate connection method. There were no errors reported on the firewall but there was also no connectivity. A reboot later that day resolved the problem.

Any and all ideas are welcome / solutions that don't involve "reload" would be highly appreciated.

Labels:
0 Helpful
5 Replies 5

praprama
Cisco Employee
Cisco Employee

‎01-19-2011 07:01 AM

Hi Sascha,

It's an interesting situation. When you mentioned "reload", did you relaod the client or the PIX?

Cheers,

Prapanch

0 Helpful

srkrehlik
Level 1
Level 1
In response to praprama

‎01-20-2011 10:19 AM

The host(s) I used to test had their clients shut down and restarted a number of times to clear possible routing conflicts at the client machine.  The final solution that resolved the problem was to issue the reload command during low use hours that night, so rebooting the firewall.  If you are refering to 'reload' with a definition of, "to remove a software configuration and load a new version or copy" then nothing was reloaded.  Please also note that this was not a new install or configuration for the firewall. We have been using client vpn on a daily basis with this gateway.

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to srkrehlik

‎01-21-2011 06:44 AM

Hi Sascha,

It's interesting you had to reboot the PIX. Would it be possible for you to re-create the scenario again just to collect some outputs? It would be great if we could get some debugs, logs, captures, ipsec and isakmp sa outputs from the firewall when the issue is seen to see what's wrong.

Having said this, i would suggest you to rather open up a TAC case to get this investigated further if possible.

Cheers,

Prapanch

0 Helpful

srkrehlik
Level 1
Level 1
In response to praprama

‎01-21-2011 07:39 PM

Prapanch,

We won't have the opportunity to recreate this issue any time soon. It's a full production unit and the issue was limited to this single incident.  It was more of a curiosity and I was wondering if anyone else had seen it before.  Just so you are aware, I posted the situation to the last "Ask the Expert" session with Kureli (/thread/206088) and we both came to the conclusion that debugs would have been good to have. Even Kureli had not seen this issue before. Had the day of the incident been a networking related day we would have captured some debugs but the VPN was incidental to the work we were doing.

- Sascha

0 Helpful

ruliffilur
Level 1
Level 1

‎05-15-2011 11:39 PM

I´ve got the same problem on an ASA 5510 running os 8.22, sice about two weeks ago some users have hade major problems to connect, they can connect with the client but cant pass any traffic inside to our lan.The strange thing is that some users can login without any problems at all and others cant access at all. One interesting thing was that One user was at home on her own WLAN and could connect from there to us without any problems at all, then she brings her laptop to work at their LAN and the vpn connection fails as for many others.

An other issue I got is that we have several ASA5505 acting as vpn boxes that connect some of our remote sites, now Iam about to setup another one of these 5505s but this latest 5505 can connect to the vpn server but it does not get an ip adress from the ip pool in the 5510, however all our other 5505 works fine since they were setup long ago,

is a reboot of the ASA the only solution?

//Rulif

0 Helpful
Customers Also Viewed These Support Documents