Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
0
Helpful
8
Replies

VPN over gprs

tamasfromhungary
Level 1
Level 1

‎02-23-2007 07:00 PM - edited ‎02-21-2020 02:53 PM

Hi everyone!

I have set up vpn remote tunnel from xp sp2 with easyvpn client to an asa 5510 head. The connection works from cable remotes, but not over a gprs connection.

Since ping works, I assumed it might be MTU related so I kept decreasing the mtu on both the gprs network interface and on that of the easyvpn. However, nothing happened (I got as low as MTU 500).

Our service provider uses private addresses so nat-t is set. the client connects, asks for the username with xauth, the connection seems to establish, but the tcp connections usually stop at SYN/ACK or ACK.

On the out1 IF of the head pre-fragmentation is enabled and DF bit is set to clear. I was thinking about decreasing the mtu on the out1 interface, but since the device is localted at a data center and is serving traffic on the same outside inferface, I was afraid that lowering the mtu on the out1 would result in slower transfers / higher cpu utilization of the fw.

What else should I try?

Any help is greatly appreciated.

Regards

Tamas

Labels:
0 Helpful
8 Replies 8

jmia
Level 7
Level 7

‎02-24-2007 04:51 AM

Hello Tamas,

Q. One the vpn client - is the firewall option enabled? if it is then please turn this off. Also is the XP firewall enabled??

And you have NAT-T for isakmp enbled at your ASA?

Jay

0 Helpful

tamasfromhungary
Level 1
Level 1
In response to jmia

‎02-26-2007 04:25 AM

Thanks for helping. Yes built in the firewall is enabled, but since the config works on broadband this is probably not the cause.

The problem is only over gprs so that why I thought this might be network related rather than config issue

regards

Tamas

0 Helpful

tamasfromhungary
Level 1
Level 1
In response to tamasfromhungary

‎02-27-2007 05:08 AM

Since it seems, that no one has any ideas, I am going to try to reduce the mtu on the outside interface. I have read somewhere the mtu site does not affect the packet passing through. so does anyone know if the reduction of the mtu on the outside if will reduce performance from and to the webserver on an other interface?

0 Helpful

stewartrc
Level 1
Level 1
In response to tamasfromhungary

‎02-27-2007 08:25 AM

Which Access point are you using and what GPRS provider> If it is Cingular you must use isp.congular wap.cingular is not compatible with VPN connections.

0 Helpful

tamasfromhungary
Level 1
Level 1
In response to stewartrc

‎02-27-2007 01:23 PM

It's a European T-Mobile network, the Internet works fine, I get a full nat'ed net access. It's just the vpn (icmp works but nothing else).

0 Helpful

l.jankok
Level 1
Level 1
In response to tamasfromhungary

‎08-06-2007 12:04 PM

I was wondering if you did succedd in getting this working.

Regards

Luc

0 Helpful

electoolhungary
Level 1
Level 1
In response to l.jankok

‎08-07-2007 03:53 AM

Hi!

it was one of those problems that mysteriously solved itself. I talked to the GSM provider and they told me that they did some modifications in their network config.

Now we are using a totally stock IPSec over UDP tunnel and it works fine even though we get private IP from the telco.

regards

Tamas

0 Helpful

l.jankok
Level 1
Level 1
In response to electoolhungary

‎08-07-2007 04:26 AM

You are totally right. We have several providers here in the Netherlands and I was trying this with exactly the one which doesn'r work (Vodafone). With exactly the same windows mobile with exactly the same config but on a different provider I had no problems. Thanks :)

0 Helpful
Customers Also Viewed These Support Documents