Hey Guys,
I'm wondering if you could help me with a strange CVPN issue. I've got clients using the Cisco VPN Client (version 5.0.07.0290), and an ASA 5520 set up as the endpoint. 99% of the time this works great, so I'm pretty confident with the config, but there is one specific user who is having a problem (although sometimes it works ok for him). This user is connecting to the internet through a 3G dongle, and then trying to VPN in. I can see the connection being established, RADIUS authenticating his credentials, and the tunnel being set up without issue.
No data seems to pass through the tunnel however. Lots of packets are sent, but none are ever received back. Looking at the VPN statistics on the client, I can see that Transparent Tunneling is inactive, so I'm presuming I've got a NAT issue somewhere. The output of sh vpn-sessiondb remote seems to confirm this (user 1 is the problem user, user 2 works fine):
Username : user1 Index : 1332
Assigned IP : 172.17.47.191 Public IP : xxxx
Protocol : IKE IPsec
License : IPsec
Encryption : AES128 AES256 Hashing : SHA1
Bytes Tx : 0 Bytes Rx : 0
Group Policy : Tunnel-Group-1
Tunnel Group : Tunnel-Group-1
Login Time : 06:18:57 UTC Tue Nov 22 2011
Duration : 0h:14m:41s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
Username : user2 Index : 1333
Assigned IP : 172.17.47.168 Public IP : xxxx
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : AES128 AES256 Hashing : SHA1
Bytes Tx : 147061 Bytes Rx : 141808
Group Policy : Tunnel-Group-1
Tunnel Group : Tunnel-Group-1
Login Time : 06:31:03 UTC Tue Nov 22 2011
Duration : 0h:02m:35s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
As you can see, for the problem user, just plain IKE IPSec is negotiated, without NAT-T. Any ideas why this would happen? And why it would only happen on some occasions?
Thanks for any suggestions.
