04-01-2012 11:30 AM
We are using a 5510 and have issues trying to use VPN with full tunnel to connect from inside the firewall to a customer site. I don't seem to have a problem when using split tunnel profiles. How would you troubleshoot this?
Sent from Cisco Technical Support iPhone App
04-01-2012 10:26 PM
Hi,
What kind of issues? Do you mean that VPN Client connection forms but nothing works? Or doesnt the VPN even connect?
Maybe theres some problem related to DNS since you are using full tunnel?
04-01-2012 11:07 PM
Yes, the connection forms but nothing works.
Sent from Cisco Technical Support iPhone App
04-01-2012 11:14 PM
Hi,
What are you trying to reach at the remote site? Do you use IP address to DNS name to connect?
Is there possiblity that using full tunnel cuts connection to something essential on your local network? (or perhaps just DNS queries dont go through)
Have you checked the clients counters if theres any packets arriving from the remote system through VPN during the full-tunnel connection?
I assune the split-tunnel connections are taken to a totally different network OR does the remote site have several VPN profiles usable?
- Jouni
04-02-2012 11:26 AM
Hello,
I will try to give you a few more details. We are using an ASA5510 and we are trying to connect to a customer who is using an older 3000 concentrator (i think). The profile is configured to connect to the remote site using an IP address. The connection seems to form and you can see packets being sent but no packets are being received. I dont have very much info on the remote site. I have never used full tunnel before so I am not exactly sure what steps take place during the whole full tunnel process.
04-02-2012 12:24 PM
Hi,
Reading through your reply it seems to me that you are talking about a L2L VPN (Lan to Lan VPN) and not a VPN Client connection? Since you mention its between an ASA and 3000 series VPN concentrator.
If the actual VPN connection forms and you can see packets going from your ASA to the VPN tunnel but no return traffic is received it would seem the remote end either blocks traffic, there isn't a correct route for return traffic on the remote end or the remote end host just doesnt respond.
If someone else is responsible for the remote end devices and configurations I would suggest contacting them. Maybe generating some test traffic and asking them to check logs at their end to see whats happening to the traffic.
Though you can also check what happens to the traffic by looking at the ASA logs (perhaps easier looking through the ASDM Monitor window with filter applied to the remote host IP)
- Jouni
04-02-2012 03:43 PM
Hello,
I'm sorry if I have confused you. I am referring to a VPN client connection. The issue occurs when we try to connect to the remote customer site using a laptop with the cisco vpn client from behind our firewall. The odd thing is that when the user takes the laptop outside the company, he is able to connect to the remote customer using the vpn client. This made me assume that the issue lies within my environment. I have this same issue when a couple of our customers are visiting our office and they try to VPN into their corporate office using a full tunnel.
04-02-2012 03:54 PM
Hi Daryl,
Can you please post the output of :-
sh run | inc nat-traversal
Manish
04-03-2012 07:42 AM
When running that command, there is no output.
Sent from Cisco Technical Support iPhone App
04-10-2012 11:00 AM
Sorry , the late reply ... your message ended up in Spam in my Gmail.
you need to enable the following in your firewall so that other ppls VPN can work :-
crypto isakmp nat-traversal
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2068300
Thanks
Manish
04-16-2012 03:10 PM
It turns out that we do have have it enabled already. You have to use sh run all | in nat-traversal in order to see it
c5510-MAIN-FW# sh run all | in nat-traversal
crypto isakmp nat-traversal 20
04-17-2012 01:55 PM
Hi all,
i need to recap the problem symptoms first " you have an EasyVpn server at the remote branch and you can successfully establish a connection to that branch from outside your office
But when trying to establish two connections from your office it fails ( this means that only one working at a time !!!! )
if only one works at a time, it will be a PAT issue on your ASA, because i couldn't map the two sessions at the same time
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_qanda_item09186a00801c2dbe.shtml#nat
please let me know if that helps you.
04-25-2012 05:24 PM
I just wanted to post an update for any others out there following this thread. It turns out that the issue was that the remote site did not have NAT -T enabled. This all made sense why we could connect to the remote site and access their resources from outside the LAN but when connected to our LAN we could not.
I guess my next thought would be how would you deal with the situation if the remote site didn't want to enable NAT-T.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide