Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
2
Replies

VPN failure?

mulhollandm
Level 1
Level 1

‎09-13-2009 04:27 PM

folks

i'm having a strange issue

i have a number of remote users running a recent version of the cisco vpn client

they connect over a dedicated ISP cloud to an ASA cluster 5540 running IOS 8.0.4

the remote users are using a netgear modem to connect to a broadband line and each modem, after being authenticated is allocated a static IP from an ACS 1113 SE on a dmz

once the VPN is established the ASA passes down a profile with an IP, proxy, DNS etc

my problem

some users are losing the IP connection even though the VPN client still shows the VPN is up, i.e. the padlock on the client software is up but they can't ping anything

if i run wireshark on my PC on the corporate lan i can see the remote users ping to my PC and i can see the reply

outbound on the ASA 5540 before it goes in the VPN tunnel

i've tested a client and when the connection dies the VPN padlock is still up but wireshark, on the client doesn't see an icmp reply

strangely an ipconfig on the remote client shows the client IP but a different address, on the same subnet, as the gateway

i suspect this may be causing routing problems but i can't see anything because of the encryption

anyone seen this type of behaviour before or have an suggestions on how to troubleshoot it?

thanks to anyone taking the time to read this or reply and my apologies for the overly detailed post

Labels:
0 Helpful
2 Replies 2

ggilbert
Cisco Employee
Cisco Employee

‎09-15-2009 06:26 AM

Hello,

I read through your problem description and have some queries.

a. When do a ipconfig on the remote client, you said the IP address is different? What do you mean by that?

When you did a wireshark capture, you saw the packet coming from an IP address that is different from the client IP address assigned on the Virtual Adapter?

b. sh cry ipsec sa peer x.x.x.x

When you issue that command, do you see packets getting encrypted increment with the return packet sent to the ASA.

Can you please confirm that.

Thanks

Gilbert

0 Helpful

mulhollandm
Level 1
Level 1
In response to ggilbert

‎09-17-2009 12:34 AM

gilbert

many thanks for your reply

a. the results of the ip config were showing one address for the vpn adapter, i.e. 172.16.50.45 but the gateway was slightly different, i.e. 172.16.50.99

unfortunately this looks like a red herring as some of those having connectivity issues have the same ip for both the adapter and the gateway

the capture taken on the pc in the lan saw ping requests coming from the remote client with the vpn adapter address and the replies were sent back

i can see the reply as far as the asa were the vpn ternminates

b. have got a user with problems during the day yet but i will try this command

many thanks for youe time and efforts

0 Helpful
Customers Also Viewed These Support Documents