Yes, the connection forms but nothing works.

Sent from Cisco Technical Support iPhone App

Hi,

What are you trying to reach at the remote site? Do you use IP address to DNS name to connect?

Is there possiblity that using full tunnel cuts connection to something essential on your local network? (or perhaps just DNS queries dont go through)

Have you checked the clients counters if theres any packets arriving from the remote system through VPN during the full-tunnel connection?

I assune the split-tunnel connections are taken to a totally different network OR does the remote site have several VPN profiles usable?

- Jouni

Hello,

I will try to give you a few more details. We are using an ASA5510 and we are trying to connect to a customer who is using an older 3000 concentrator (i think). The profile is configured to connect to the remote site using an IP address. The connection seems to form and you can see packets being sent but no packets are being received. I dont have very much info on the remote site. I have never used full tunnel before so I am not exactly sure what steps take place during the whole full tunnel process.

Hi,

Reading through your reply it seems to me that you are talking about a L2L VPN (Lan to Lan VPN) and not a VPN Client connection? Since you mention its between an ASA and 3000 series VPN concentrator.

If the actual VPN connection forms and you can see packets going from your ASA to the VPN tunnel but no return traffic is received it would seem the remote end either blocks traffic, there isn't a correct route for return traffic on the remote end or the remote end host just doesnt respond.

If someone else is responsible for the remote end devices and configurations I would suggest contacting them. Maybe generating some test traffic and asking them to check logs at their end to see whats happening to the traffic.

Though you can also check what happens to the traffic by looking at the ASA logs (perhaps easier looking through the ASDM Monitor window with filter applied to the remote host IP)

- Jouni

Hello,

I'm sorry if I have confused you. I am referring to a VPN client connection. The issue occurs when we try to connect to the remote customer site using a laptop with the cisco vpn client from behind our firewall. The odd thing is that when the user takes the laptop outside the company, he is able to connect to the remote customer using the vpn client. This made me assume that the issue lies within my environment. I have this same issue when a couple of our customers are visiting our office and they try to VPN into their corporate office using a full tunnel.

Hi Daryl,

Can you please post the output of :-

sh run | inc nat-traversal

Manish

When running that command, there is no output.

Sent from Cisco Technical Support iPhone App

Sorry , the late reply ... your message ended up in Spam in my Gmail.

you need to enable the following in your firewall so that other ppls VPN can work :-

crypto isakmp nat-traversal

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2068300

Thanks

Manish

It turns out that we do have have it enabled already. You have to use sh run all | in nat-traversal in order to see it

c5510-MAIN-FW# sh run all | in nat-traversal

crypto isakmp nat-traversal 20

Hi all,

i need to recap the problem symptoms first " you have an EasyVpn server at the remote branch and you can successfully establish a connection to that branch from outside your office

But when trying to establish two connections from your office it fails ( this means that only one working at a time !!!!  )

if only one works at a time, it will be a PAT issue on your ASA, because i couldn't map the two sessions at the same time

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_qanda_item09186a00801c2dbe.shtml#nat

please let me know if that helps you.